We recently published Duende.AccessTokenManagement.OpenIdConnect 3.0.1, a security hotfix which addresses CVE-2024-51987, a medium-severity security issue that can cause refreshed access tokens to be cached and used for the wrong user.

We encourage everyone using Duende.AccessTokenManagement.OpenIdConnect 3.0.0 to update to version 3.0.1.

Today we are publishing two NuGet packages related to DPoP:

• Duende.IdentityServer 7.0.8, which addresses a low-severity security issue in our DPoP support for local APIs (CVE-2024-49755), and
• Duende.AspNetCore.Authentication.JwtBearer 0.1.3, the first preview of a new series of ASP.NET Core extensions that help you leverage advanced IdentityServer features - in this case DPoP support for APIs.

We encourage everyone using IdentityServer 7.0.0 and later to update to IdentityServer 7.0.8, but do note that most IdentityServer implementations are not affected. In this blog post, we’ll discuss the issue in more detail and the specific circumstances where this vulnerability applies, as well as show how to use the new package to implement DPoP in your ASP.NET APIs.

We think that PAR is one of the easiest ways to increase the security of OAuth and OpenID Connect. That’s why we prioritized the implementation of the RFC and released fully featured support in IdentityServer v7.

Unfortunately, it wasn’t as straightforward as it could be to add client-side PAR support to an existing ASP.NET Core application using the Microsoft OpenID Connect authentication handler.