Bump Duende.IdentityServer.Storage from 7.3.2 to 8.0.2

[dependabot]

Updated Duende.IdentityServer.Storage from 7.3.2 to 8.0.2.

Release notes

Sourced from Duende.IdentityServer.Storage's releases.

8.0.2

What's changed

• Fixed a license validation exception when using AddConfigurationStore without a license that includes the Dynamic Identity Providers feature. The EF configuration store registers an IIdentityProviderStore implementation, which incorrectly triggered a license check for Dynamic Identity Providers even when the feature was not in use.

8.0.1

What's changed

• Fixed session duplication issue in IdentityServer 8.0 where concurrent requests could create duplicate server-side sessions.
• Fixed nullable annotation on ITokenValidator.ValidateAccessTokenAsync — the expectedScope parameter is now correctly annotated as string? to match its intended usage.

8.0.0

Duende IdentityServer 8.0

Duende IdentityServer 8.0 targets .NET 10 and marks a significant milestone for the product.

SAML 2.0 is now a first-class protocol alongside OpenID Connect and OAuth 2.0, enabling enterprise and legacy applications to authenticate against your server without requiring separate infrastructure.

This release also introduces a FAPI 2.0/OAuth 2.1 conformance report to help you verify high-security deployments, and delivers substantial internal modernization - including adoption of .NET 10's HybridCache, TimeProvider, nullable reference types, and pervasive cancellation token support - resulting in a cleaner, more maintainable foundation going forward.

---

New Features

SAML 2.0 Identity Provider
IdentityServer can now act as a full SAML 2.0 Identity Provider, allowing enterprise and legacy applications that require SAML to authenticate against your server alongside OpenID Connect clients.

It supports:

• SP-initiated SSO via HTTP-Redirect and HTTP-POST bindings
• Single Logout (SLO) with front-channel notifications
• Per-SP assertion signing
• NameID format support
• AuthnContext class mapping, per-SP claim mappings
• Metadata endpoint

Your existing login UI requires only a small update to the cancellation path. See the SAML 2.0 documentation.

SAML 2.0 External Authentication
IdentityServer can now federate with external SAML 2.0 Identity Providers, letting you use a third-party SAML IdP as an upstream identity source - the same way you'd add Google or Microsoft Entra ID as an external provider. Configure SAML external providers statically or dynamically using the existing dynamic providers mechanism. See Configuring a SAML external provider.

Financial-Grade Security & Conformance Report
A new Duende.IdentityServer.ConformanceReport package assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications and generates an HTML report at a protected endpoint (/_duende/conformance-report). Use it to verify your server is correctly configured for high-security API scenarios. See the Conformance Report documentation.

User Management
IdentityServer 8 integrates with Duende User Management which adds user registration, password management, MFA (TOTP, passkeys), account recovery, and more. See the User Management documentation.

---

Improvements

• Token Cleanup Performance - The token cleanup service now uses a more efficient bulk delete strategy when IOperationalStoreNotification is not registered, reducing database load in high-throughput deployments. MySQL EF Core provider compatibility for PAR entry cleanup is also restored.

• Orphaned Grants Revoked on Session Overwrite - When a server-side session is overwritten (for example, when a user signs in again without signing out first), refresh tokens belonging to the prior session are now automatically revoked. This prevents stale grants from accumulating and remaining valid after re-authentication.

• Quieter Secret Validation Logging - Expected-failure log entries in client and API secret validation have been downgraded from Error to Debug. This reduces noise in production logs where failed secret lookups are a normal part of the secret hashing comparison process.

• Relaxed Audience Validation - Audience validation for private key JWT authentication in strict mode now accepts single-element JSON arrays in addition to scalar string values, improving compatibility with tokens from issuers that always serialize audiences as arrays.

• HTTP 303 Redirects - All redirects from IdentityServer's authorization endpoint now unconditionally use HTTP 303 See Other, aligning with the OAuth 2.0 and OpenID Connect specifications and avoiding issues with intermediaries that treat 302 redirects differently.

• Unified Authorization Context - SAML and OpenID Connect flows now share the same IAuthenticationContext abstraction. Your login page can access protocol-specific context - including SAML-specific details such as RequestedAuthnContext - through a single consistent interface.

... (truncated)

7.4.7

• Update Duende.IdentityModel dependency to 8.0.1

7.4.6

This is a patch release that fixes two issues in IdentityServer.

What's Changed

• Make ServerSideSessionCleanupHost.StopAsync idempotent (prevent exceptions if it is called multiple times) by @​damianh in fix: make ServerSideSessionCleanupHost.StopAsync idempotent DuendeSoftware/products#2345
• Do not escape '+' character in x5c of jwks by @​josephdecock in Backport "Do not escape '+' character in x5c of jwks" to 7.4.x DuendeSoftware/products#2350

7.4.5

This is bugfix release that fixes an issue where + characters are not treated correctly in URL queries.

What's Changed

• Fixed a regression where the + character was not treated as a space in query params by @​josephdecock and @​adamralph in + character was not treated as a space in query params DuendeSoftware/products#2333

Full Changelog: DuendeSoftware/products@is-7.4.4...is-7.4.5

7.4.4

This is bugfix release that fixes an issue where specific service registration scenarios would fail due to constructor ambiguity.

What's Changed

• remove constructor ambiguity from SanitizedLogger by @​adamralph in remove constructor ambiguity from SanitizedLogger DuendeSoftware/products#2318

Full Changelog: DuendeSoftware/products@is-7.4.3...is-7.4.4

7.4.3

This is bugfix release that fixes an issue where claims in a session would be duplicated.

What's Changed

• Fixed an issue where claims where duplicated by @​josephdecock in Fixed an issue where claims where duplicated DuendeSoftware/products#2301, with special thanks to @​wcabus

Full Changelog: DuendeSoftware/products@is-7.4.2...is-7.4.3

7.4.2

This is a patch release that fixes a bug in license verification.

What's Changed

• fix IdentityServerLicenseValidator log formatting issue by @​Erwinvandervalk in fix IdentityServerLicenseValidator log formatting issue DuendeSoftware/products#2288

7.4.1

This is a patch release that fixes a bug related to CSP hashes.

What's Changed

• Fix incorrect CSP hash constants in check session endpoint by @​maartenba in Fix incorrect CSP hash constants in check session endpoint DuendeSoftware/products#2283

7.4.0

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Since the 7.4.0 release candidate, there have been a few minor changes, including:

• Add service for diagnostic data by @​josephdecock in #​2252
• Trigger Back Channel Logout Earlier in Pipeline by @​bhazen in #​2258
• Enable Customizing ErrorMessage on Redirect to Error Page by @​bhazen in #​2263
• Better DCR Support for Public Clientsby @​bhazen in #​2264
• Update .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267

Note that Duende.IdentityServer.EntityFramework.Storage now depends on Entity Framework Core 9.x in the net8.0 target framework, which should be fully supported on both .NET 8 and .NET 9. .NET 10 projects will use Entity Framework Core 10.x.

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @​bhazen in #​2128
  In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @​bhazen in #​2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @​josephdecock in #​2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @​bhazen in #​2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @​bhazen in #​2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @​bhazen in #​2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
    ... (truncated)

7.4.0-rc.1

This is the first release candidate of IdentityServer 7.4.0. The changes since the last preview release are:

• Add service for diagnostic data by @​josephdecock in #​2252
• Trigger Back Channel Logout Earlier in Pipeline by @​bhazen in #​2258
• Enable Customizing ErrorMessage on Redirect to Error Page by @​bhazen in #​2263
• Better DCR Support for Public Clientsby @​bhazen in #​2264
• Update .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10 (this preview targets .NET10 RC2)
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @​bhazen in #​2128
  In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @​bhazen in #​2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @​josephdecock in #​2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @​bhazen in #​2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @​bhazen in #​2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @​bhazen in #​2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @​josephdecock in #​2216
  ... (truncated)

7.4.0-preview.2

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10 (this preview targets .NET10 RC2)
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @​bhazen in #​2128
  In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @​bhazen in #​2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @​josephdecock in #​2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @​bhazen in #​2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @​bhazen in #​2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @​bhazen in #​2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @​josephdecock in #​2216
  • Added initial support for .NET 10.
• Updated IS and BFF to IM 8.0.0 Preview 1 and ATM Previews in #​2247

Bug Fixes

• Reject Pushed Authorization Requests with parameters duplicated in a JAR by @​wcabus in #​2073
  • Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
  • Such as request will now correctly return an invalid request.
    ... (truncated)

7.4.0-preview.1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10 (this preview targets .NET10 RC2)
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @​bhazen in #​2128
  In the process of internal code cleanup, this unused and unreferenced file was used. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @​bhazen in #​2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @​josephdecock in #​2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @​bhazen in #​2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @​bhazen in #​2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @​bhazen in #​2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @​josephdecock in #​2216
  • Added initial support for .NET 10.

Bug Fixes

• Reject Pushed Authorization Requests with parameters duplicated in a JAR by @​wcabus in #​2073
  • Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
    ... (truncated)

7.3.4

This is bugfix release that fixes an issue where specific service registration scenarios would fail due to constructor ambiguity.

What's Changed

• remove constructor ambiguity from SanitizedLogger by @​adamralph in remove constructor ambiguity from SanitizedLogger DuendeSoftware/products#2319

Full Changelog: DuendeSoftware/products@is-7.3.3...is-7.3.4

7.3.3

This is a minor release which changes how a CSP hash is calculated to prevent future issues and updates the version of Duende.IdentityModel used to 8.0.0.

What's Changed

• Resolve CSP by moving it to a not dotnet formattable file by @​pgermishuys in #​2295
• Updated to IdentityModel 8.0.0 by @​bhazen in #​2302

Breaking Changes

The update to Duende.IdentityModel can cause breaking changes as it is a major version. Refer to the Duende.IdentityModel 8.0.0 release notes for upgrade instructions.

Commits viewable in compare view.

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1fd2033. Configure here.}

[cursor]

Mismatched Duende package majors

High Severity

Updating Duende.IdentityServer.Storage to 8.0.0 while other Duende.IdentityServer packages remain at 7.3.2 creates a split major-version stack. Identity.API references these, risking restore conflicts and runtime failures, as Duende recommends an all-or-nothing upgrade.

 

^{Reviewed by Cursor Bugbot for commit 1fd2033. Configure here.}

[dependabot]

Looks like Duende.IdentityServer.Storage is updatable in another way, so this is no longer needed.