Upcoming Duende IdentityServer 7.2 Preview 1 Release

After our recent 7.1 release of IdentityServer, we’re moving toward version 7.2 and collaborating with the IETF to standardize several specifications. Even though we’re busy, we thought you’d appreciate an update on what’s next. For early adopters, you now have access to IdentityServer 7.2 Preview 1, which includes enhancements, bug fixes, and general improvements to the codebase. This release is now published on all official channels and IdentityServer NuGet packages are available for testing.

In this post, we’ll highlight the notable changes in IdentityServer 7.2 Preview 1 and explain how those changes may affect your current and future deployments of IdentityServer.

Overview

Special thanks to Duende developers Joe DeCock, Brett Hazen, Maarten Balliauw, and community contributors Simon Cropp and Alexander Oliver Mader for their contributions.

  • Do not issue TokenIssuedFailureEvent for use_dpop_nonce error
  • Use AsyncServiceScope in Background Services
  • Use query-safe URL fragment when returning an error
  • Add option for strict validation of assertion audiences
  • General improvements to XML documentation and null reference exception handling

Additionally, we’ve been hard at work attending and meaningfully contributing to IETF conversations related to OpenID and standardization. Here is a short overview of their contributions:

Add Option for Strict Validation of Assertion Audiences

We’ve added a new option to enforce that the only private_key_jwt audience allowed is the issuer identifier and that the value is a string – not an array of a single value.

The audience of private key JWTs has historically been inconsistent in various OAuth and OpenId specifications. Some specs have said to use the issuer identifier, others the token endpoint or other endpoints, and some say to accept both.

However, the IETF and the OpenID Foundation are working to ensure consistency in audience requirements across all specifications. The specification hopes to accomplish consistency by only accepting the issuer identifier. The most recent FAPI (financial grade API) specification requires this strict validation, and the authors are also updating other specifications.

You can enable this option by setting the StrictClientAssertionAudienceValidation property on the IdentityServerOptions instance in your IdentityServer implementation. The default value is currently false.

DPoP Nonces and TokenIssuedFailureEvent

Demonstrating Proof-of-Possession, or DPoP, is an enterprise-level security measure that prevents token replay attacks. DPoP makes it difficult for attackers to use stolen tokens to infiltrate your application.

One way to configure DPoP is to require a server-issued nonce value. A nonce prevents replay or pre-generation of the proof tokens used in DPoP by having the authorization server provide a nonce value that the client must include in its signatures. That nonce is provided to the client through a protocol error response.

In IdentityServer 7.1 and earlier, this raised the TokenIssuedFailureEvent because, technically, the token endpoint returns an error. However, this interaction is an expected part of the interaction between client and server. It isn’t an error in the usual sense of the word, and it can happen quite often, resulting in lots of noise in the logs. Therefore, we no longer raise the TokenIssuedFailureEvent when returning a server-generated DPoP nonce.

For those still interested in knowing these errors are occurring, we have added additional Debug log messages to help diagnose and troubleshoot your client implementations. Because these messages are low severity, you must explicitly enable them in your environments to see them. The existing OTel metrics that track token error responses are unchanged, as they don’t add noise to the logs.

AsyncServiceScope in Background Services

We’ve switched to using AsyncServiceScope to allow users to use IAsyncDisposable implementations of shared services. Using an asynchronous scope can be helpful if disposing of a resource requires asynchronous calls to free up resources such as a database connection, a clean-up process, or other blocking operations. We have implemented the enhancements in the TokenCleanupHost and ServerSideSessionCleanupHost.

Use Query-Safe URL Fragment When Returning an Error

We’ve updated IdentityServer to align with the OAuth 2.0 Best Current Practices regarding URL fragments. When IdentityServer returns an error to the client during an interaction, the server will append the “#_” fragment to any URLs. According to the specification, adding the fragment prevents browsers from reattaching fragments to redirection URLs.

Feedback and Comments

We look forward to your feedback as you try out the latest preview of IdentityServer 7.2. As always, we’re working hard to provide you with a secure, flexible, spec-compliant OpenID implementation. If there’s anything we can do to improve the experience, please let us know through our official contact channels, which include email, social media, and GitHub repositories.