Every single OAuth/OIDC project needs a solution for token management in client applications at some point. It first sounds like a trivial thing, but it is surprisingly hard to get it right. We have been working on an access token management library for ASP.NET Core on the side for a couple of years now, and we also used it ourselves in our BFF security framework. And while re-visiting it recently, we realized it shows its age and needs some substantial work to maintain.

For our 6.1 we have added first class support for server-side sessions and better session management features. The Problem Normally when a user establishes an authentication session in the browser for an ASP.NET Core application, the state for that session is contained entirely within the cookie. This is also true for authentication sessions in Duende IdentityServer. This means, by default, it’s difficult to perform advanced session management tasks such as:

OpenTelemetry is a collection of tools, APIs, and SDKs for generating and collecting telemetry data (metrics, logs, and traces). This is very useful for analyzing software performance and behavior - especially in highly distributed systems. Now that the tracing part of OTel is finalized, we started adding instrumentation to all relevant parts of IdentityServer - especially around input validators, response generators and stores. The output is very useful for visualizing the control flow and finding performance bottlenecks.