OAuth and OpenID Connect requests consist of two steps. The front channel for user interactions like login or consent, and the back channel for transmitting the resulting tokens into client client applications. Front channel requests are done via the browser to the so called authorize endpoint, and the way the protocol was designed, those requests typically contain a significant number of parameters to help the authorization server to optmize the user workflow.

Today marks the release of .NET 8. This is the new long-term support version of .NET and thus the perfect foundation for our next major version of IdentityServer. For this release we focused on three big feature areas compatibility and optimisations for .NET 8 adding support for RFC 9126 aka pushed authorization requests (PAR) adding OpenTelemetry metrics We are publishing a preview of v7 today and are planning to release the final version in early January.

The sweet spot for proof of possession access tokens is clients that are operated in untrusted networks and can securely store key material and tokens - very typically that tranlates to native mobile applications. We maintain an open source client library that implements RFC8252 (aka “AppAuth”) style authentication and token management. This library targets netstandard2.0 and thus is usable on all .NET platforms (e.g. Windows / Mac desktop, iOS, Android etc.

The second main feature of IdentityServer v6.3 is support for the Dynamic Client Registration (DCR) protocol. This is on one hand part of our ongoing journey to implement all relevant protocols from the OAuth and OpenID Connect working groups, but also the start of a bigger effort around adding programmatic configuration capabilities to IdentityServer. DCR really consists of a base specification (RFC 7591) and various add-ons defining additional client metadata elements.

In our last post we discussed the history and security properties of proof of possession access tokens. While MTLS has been supported for several years now, our upcoming IdentityServer 6.3 release adds support for DPoP as well. This is very timely because DPoP Revision 16 has been approved by the IESG last week and will be an official RFC very soon. Adding DPoP to you architecture requires code changes at every level in you system: the authorization server, the clients and the APIs.

One of the most controversial decisions when OAuth 2.0 was being designed was the omission of a mechanism to cryptographically bind access tokens to clients. In favor of simplicity, only the Bearer token type was specified with the firm plan to add sender constraining at a later point. This assumes “perfect” security at all the actors of an OAuth system including the wires that connect them. In an ideal bearer token world, there would be no leakage of access tokens at the client, resource, or the authorization server, and all network connections are end-to-end secured with no opportunity of eavesdropping for an attacker (see here for a summary of threats and mitigations).

Cross-device flows enable a user to initiate an authorization flow on one device (the initiating device) and then use a second, personally trusted, device (authorization device) to authorize access to a resource (e.g., access to a service). These flows are increasingly popular and typically involve using a mobile phone to scan a QR code or enter a user code displayed on an initiating device (e.g., Smart TV, Kiosk, Personal Computer etc).

Every single OAuth/OIDC project needs a solution for token management in client applications at some point. It first sounds like a trivial thing, but it is surprisingly hard to get it right. We have been working on an access token management library for ASP.NET Core on the side for a couple of years now, and we also used it ourselves in our BFF security framework. And while re-visiting it recently, we realized it shows its age and needs some substantial work to maintain.

For our 6.1 we have added first class support for server-side sessions and better session management features. The Problem Normally when a user establishes an authentication session in the browser for an ASP.NET Core application, the state for that session is contained entirely within the cookie. This is also true for authentication sessions in Duende IdentityServer. This means, by default, it’s difficult to perform advanced session management tasks such as:

OpenTelemetry is a collection of tools, APIs, and SDKs for generating and collecting telemetry data (metrics, logs, and traces). This is very useful for analyzing software performance and behavior - especially in highly distributed systems. Now that the tracing part of OTel is finalized, we started adding instrumentation to all relevant parts of IdentityServer - especially around input validators, response generators and stores. The output is very useful for visualizing the control flow and finding performance bottlenecks.