Good news! We are happy to share a new major version of the Duende Backend-for-Frontend (BFF) Security Framework V3 with you.

When building applications with SPA frameworks like React, Angular, VueJs or Blazor, Backend-For-Frontend (BFF) makes it easier and more secure to integrate and manage OAuth/OpenID Connect interactions.

In this post, let’s explore what’s new in Duende BFF v3.

An essential part of securing ASP.NET Core applications while maintaining the capabilities to scale out to meet user demand is Data Protection.

In this post, we’ll discuss data protection, how to implement it, how to configure data protection options, and some choices you may want to consider when building your applications. We’ll also explain how this relates to our Duende IdentityServer product offering.

Our Duende development team is committed to delivering the world’s most secure, standards-compliant, trusted identity solutions. While Duende IdentityServer is a fully supported and secure OpenID Connect and OAuth 2.0 framework for .NET Core, IdentityServer4 has been out of support for a long time. The older IdentityServer4 contains multiple known security vulnerabilities and bugs, and has outdated documentation. With that background, we made the IdentityServer4 repository private on February 17, 2025, resulting in our fork of the repository no longer being available to the general public.

Today, we’re happy to bring you the first Release Candidate for the next version of the Duende Backend-for-Frontend (BFF) Security Framework V3.

BFF (Backend-For-Frontend) solves security and development challenges for client-side developers using SPA frameworks like React, Angular, VueJs or Blazor by providing a dedicated backend to manage OAuth/OIDC interactions while enforcing a “no tokens in the browser” policy.

In this blog post, we’ll look at some new functionality and cover some aspects you should be aware of when upgrading.

After our recent 7.1 release of IdentityServer, we’re moving toward version 7.2 and collaborating with the IETF to standardize several specifications. Even though we’re busy, we thought you’d appreciate an update on what’s next. For early adopters, you now have access to IdentityServer 7.2 Preview 1, which includes enhancements, bug fixes, and general improvements to the codebase. This release is now published on all official channels and IdentityServer NuGet packages are available for testing.

Happy New Year! Duende IdentityServer 7.1 is a new release we’re excited to share with you. In this article, we will discuss some exciting enhancements and breaking changes that software developers should be aware of when upgrading from previous versions.

We recently published Duende.AccessTokenManagement.OpenIdConnect 3.0.1, a security hotfix which addresses CVE-2024-51987, a medium-severity security issue that can cause refreshed access tokens to be cached and used for the wrong user.

We encourage everyone using Duende.AccessTokenManagement.OpenIdConnect 3.0.0 to update to version 3.0.1.

Today we are publishing two NuGet packages related to DPoP:

• Duende.IdentityServer 7.0.8, which addresses a low-severity security issue in our DPoP support for local APIs (CVE-2024-49755), and
• Duende.AspNetCore.Authentication.JwtBearer 0.1.3, the first preview of a new series of ASP.NET Core extensions that help you leverage advanced IdentityServer features - in this case DPoP support for APIs.

We encourage everyone using IdentityServer 7.0.0 and later to update to IdentityServer 7.0.8, but do note that most IdentityServer implementations are not affected. In this blog post, we’ll discuss the issue in more detail and the specific circumstances where this vulnerability applies, as well as show how to use the new package to implement DPoP in your ASP.NET APIs.

We think that PAR is one of the easiest ways to increase the security of OAuth and OpenID Connect. That’s why we prioritized the implementation of the RFC and released fully featured support in IdentityServer v7.

Unfortunately, it wasn’t as straightforward as it could be to add client-side PAR support to an existing ASP.NET Core application using the Microsoft OpenID Connect authentication handler.

Almost exactly four years ago we announced the big news of transitioning our free, open-source project, IdentityServer, to a commercial, source-available product.

As a part of that transition, we founded Duende Software as the new home for our products. Our main goal was to focus on IdentityServer – turning it into a sustainable product, improving the quality and reliability of our code base, and enhancing our samples, documentation and customer support.