IdentityServer4 is public again

Our Duende development team is committed to delivering the world’s most secure, standards-compliant, trusted identity solutions. While Duende IdentityServer is a fully supported and secure OpenID Connect and OAuth 2.0 framework for .NET Core, IdentityServer4 has been out of support for a long time. The older IdentityServer4 contains multiple known security vulnerabilities and bugs, and has outdated documentation.

With that background, we made the IdentityServer4 repository private on February 17, 2025, resulting in our fork of the repository no longer being available to the general public.

With over 2000 forks available on GitHub for anyone to continue working with, the source code would stay around while no longer endorsing it from its original location. In addition, back when Dominick Baier and Brock Allen forked IdentityServer4 to start Duende, they made sure to keep around information and documentation captured in GitHub issues in the new Duende organization.

The community feedback we received convinced us we may have missed a few perspectives. While we stand by our reasoning for making the IdentityServer4 repository private, there is value in keeping archived issues and pull requests available as learning material - even if they are considered outdated.

We are very grateful to everyone who raised their concerns and shared their reasons for wanting to keep the repository public in an archived state.

Along with explaining how we will keep the IdentityServer4 repository public on GitHub, we also want to highlight the Duende IdentityServer Community Edition.

A public IdentityServer4 archive

There are multiple important reasons why we made our repositories private. IdentityServer4 went out of support when .NET Core 3.1 reached its end-of-support date of December 2022. IdentityServer4 contains several known security vulnerabilities and bugs, while at the same providing outdated documentation and information.

For many years, the repository displayed a warning about these issues, as do the NuGet packages. However, we saw that the source code was still being cloned, and the packages are still used - with folks actively putting vulnerable code into production.

We made the repository private as we believe we cannot in good faith keep code on the Internet that will cause security issues for users and their stakeholders. Thanks to community feedback, we are reconsidering our approach, and will:

  • Make the IdentityServer4 repository public in an archived (read-only) state.
  • Move the repository under the new DuendeArchive organization and make sure a redirect is in place from the original URL.
  • Create a branch named archive from the main branch, which contains the source code of IdentityServer4. This way, sources will stay available but need the intentional action of switching branches.
  • Ensure issues in the IdentityServer4 repository remain available and searchable on GitHub.
  • Keep only the README and LICENSE files available in the main branch, and update the README with practical information about the state of the repository and how to find the archive branch.

Duende IdentityServer and Community Edition

We stand by not wanting to see the unmaintained IdentityServer4 source code deployed to production, and want to highlight that Duende IdentityServer Community Edition is available to a broad group of developers. It can be used by individuals, for-profit companies with less than 1M USD projected annual gross revenue, and non-profits with less than 1M USD annual budget. The Community Edition is a free license with the same features as our Enterprise Edition.

Duende IdentityServer is supported and maintained, targets the latest .NET versions, and implements a number of new specifications that were added to OpenID Connect over the past few years, such as Pushed Authentication Requests (PAR) for which we also contributed client-side code to .NET.

If you are currently on IdentityServer4 and looking at an upgrade path, please check the various upgrade guides. In addition, we can connect you with our network of partners who can help make your OpenID Connect-powered solutions more compliant by migrating to a supported identity provider.

At Duende, we focus on helping individuals and organizations build secure systems, especially around identity management. At the same time, we’re developers who see value in keeping information around for research purposes. We believe that with these actions, we’re striking the balance between these two.

Thanks again for your feedback over the past weeks.