Duende IdentityServer v7 released

Pretty much exactly one year after the release of IdentityServer v6, we are happy to announce our next major version: IdentityServer v7.

Besides the usual cleanup, bug fixing and stability improvements, we have focused on the following major areas.

Compatibility with .NET 8

Microsoft switched to new JWT and JSON plumbing in ASP.NET Core 8. This has caused a lot of subtle compatibility problems for everyone. This is also the main reason older versions of IdentityServer are not compatible anymore with .NET 8.

Addition of Pushed Authorization Requests support

PAR is a more secure way to initiate OpenID Connect and OAuth flows. See our blog post and video.

More OpenTelemetry support

In addition to Otel traces, we also added meters/metrics throughout the code base. See blog post here.

Updated default refresh token behavior

The IETF guidance around various application types has changed over the years. Especially for browser-based applications and refresh token rotation. This update brings us more inline with those recommendations and removes some unneeded complexity. Upcoming blog post - stay tuned.

You can find more details about the improvements, changes and breaking changes in our release notes and the upgrade guides here.

We will now start focussing on our IdentityModel/Access Token Management and BFF libraries for the coming months and after that reveal some of the planned features for the next IdentityServer release.

As usual, thanks for all the feedback and bug reports. We are happy we can constantly improve IdentityServer and make it truly the most powerful and standards compliant OpenID Connect and OAuth solution for .NET.