What's changed

• Fixed SQL Server identifier truncation that could silently truncate identifiers to 128 chars, causing potential collisions at the database level.
• Added a breadth limit to the FilterExpressionParser to prevent excessive query conditions from generating unbounded SQL subqueries.
• Fixed missing bracket-quoting ([]) in SQL Server queries generated by IUserProfileAdmin.QueryAsync.

What's changed

• Fixed session duplication issue in IdentityServer 8.0 where concurrent requests could create duplicate server-side sessions.
• Fixed nullable annotation on ITokenValidator.ValidateAccessTokenAsync — the expectedScope parameter is now correctly annotated as string? to match its intended usage.

What's changed

• You can now specify a custom IAccessTokenRetriever through YARP route or cluster metadata.
• Cookie name prefix constants (__Host-, __Secure-) now correctly include the trailing hyphen

Duende User Management 1.0

Duende User Management is a new, first-party component of Duende IdentityServer that provides native user storage, a passwordless-first authentication layer, full lifecycle management, and membership management. It ships as the Duende.UserManagement.IdentityServer8 NuGet package and integrates through a single AddUserManagement() call on the IdentityServer builder. Requires .NET 10 and Duende IdentityServer 8.

Authentication Methods

• One-Time Passwords (OTP). Passwordless authentication using codes delivered by email, SMS or any other custom mechanism. Supports configurable code length, expiry, and rate limiting. New users are automatically registered on their first successful OTP authentication.
• TOTP. Time-based one-time passwords compatible with authenticator apps like Microsoft Authenticator and Google Authenticator.
• Passkeys (WebAuthn/FIDO2). Phishing-resistant, device-bound authentication using the FIDO2/WebAuthn standard. Supports TPM attestation validation and configurable attestation format handling.
• Recovery Codes. Single-use codes that allow users to regain access when other authentication methods are unavailable.
• External Authentication. Federate with external identity providers using OpenID Connect and OAuth 2.0. New users are automatically registered using an IExternalAuthenticator interface.
• Passwords. Traditional credential-based authentication for scenarios where it's required. Includes multi-algorithm password verification with transparent re-hashing when algorithms are upgraded.

User Profiles

• Extensible attribute-based profile model using an Entity-Attribute-Value (EAV) schema with support for scalar, list and complex types.
• Schema-aware attribute collections with validation
• Attribute grouping and ordering for UI rendering
• Queryable attributes for searching and filtering users
• Custom attributes map directly to OIDC claims using the built-in UserManagementProfileService

Membership & Authorization

• Built-in roles and groups for modeling organizational structures and permission boundaries
• Programmatic membership management using IMembershipAdmin. Assign users to (or remove them from) roles and groups in provisioning workflows, admin UIs, or automated onboarding.

Storage

• Three storage providers out of the box: PostgreSQL (recommended for production), SQL Server, and SQLite (development/testing)
• Schema creation from code using IDataBaseSchema or generated migration scripts

IdentityServer Integration

• Registers as an extension on the IdentityServer builder: AddUserManagement()
• All modules (profiles, authentication, membership) are auto-registered. no need to enable them individually
• Built-in UserManagementProfileService maps profile attributes and role memberships to OIDC claims.

Getting Started

Get started by following the Getting Started tutorial, which walks you through building a complete OTP login flow from scratch. For integration into an existing IdentityServer deployment, see IdentityServer Integration.

Further Reading

• User Management Documentation
• Getting Started Tutorial
• IdentityServer Integration
• Authentication Flows
• Configuration Reference
• NuGet Package

Duende IdentityServer 8.0

Duende IdentityServer 8.0 targets .NET 10 and marks a significant milestone for the product.

SAML 2.0 is now a first-class protocol alongside OpenID Connect and OAuth 2.0, enabling enterprise and legacy applications to authenticate against your server without requiring separate infrastructure.

This release also introduces a FAPI 2.0/OAuth 2.1 conformance report to help you verify high-security deployments, and delivers substantial internal modernization - including adoption of .NET 10's HybridCache, TimeProvider, nullable reference types, and pervasive cancellation token support - resulting in a cleaner, more maintainable foundation going forward.

New Features

SAML 2.0 Identity Provider
IdentityServer can now act as a full SAML 2.0 Identity Provider, allowing enterprise and legacy applications that require SAML to authenticate against your server alongside OpenID Connect clients.

It supports:

• SP-initiated SSO via HTTP-Redirect and HTTP-POST bindings
• Single Logout (SLO) with front-channel notifications
• Per-SP assertion signing
• NameID format support
• AuthnContext class mapping, per-SP claim mappings
• Metadata endpoint

Your existing login UI requires only a small update to the cancellation path. See the SAML 2.0 documentation.

SAML 2.0 External Authentication
IdentityServer can now federate with external SAML 2.0 Identity Providers, letting you use a third-party SAML IdP as an upstream identity source - the same way you'd add Google or Microsoft Entra ID as an external provider. Configure SAML external providers statically or dynamically using the existing dynamic providers mechanism. See Configuring a SAML external provider.

Financial-Grade Security & Conformance Report
A new Duende.IdentityServer.ConformanceReport package assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications and generates an HTML report at a protected endpoint (/_duende/conformance-report). Use it to verify your server is correctly configured for high-security API scenarios. See the Conformance Report documentation.

User Management
IdentityServer 8 integrates with Duende User Management which adds user registration, password management, MFA (TOTP, passkeys), account recovery, and more. See the User Management documentation.

Improvements

• Token Cleanup Performance - The token cleanup service now uses a more efficient bulk delete strategy when IOperationalStoreNotification is not registered, reducing database load in high-throughput deployments. MySQL EF Core provider compatibility for PAR entry cleanup is also restored.

• Orphaned Grants Revoked on Session Overwrite - When a server-side session is overwritten (for example, when a user signs in again without signing out first), refresh tokens belonging to the prior session are now automatically revoked. This prevents stale grants from accumulating and remaining valid after re-authentication.

• Quieter Secret Validation Logging - Expected-failure log entries in client and API secret validation have been downgraded from Error to Debug. This reduces noise in production logs where failed secret lookups are a normal part of the secret hashing comparison process.

• Relaxed Audience Validation - Audience validation for private key JWT authentication in strict mode now accepts single-element JSON arrays in addition to scalar string values, improving compatibility with tokens from issuers that always serialize audiences as arrays.

• HTTP 303 Redirects - All redirects from IdentityServer's authorization endpoint now unconditionally use HTTP 303 See Other, aligning with the OAuth 2.0 and OpenID Connect specifications and avoiding issues with intermediaries that treat 302 redirects differently.

• Unified Authorization Context - SAML and OpenID Connect flows now share the same IAuthenticationContext abstraction. Your login page can access protocol-specific context - including SAML-specific details such as RequestedAuthnContext - through a single consistent interface.

• Backchannel Logout Fix - Resolved an issue where backchannel logout notifications could be sent twice for the same session.

• License Key from IConfiguration - The IdentityServer license key can now be provided through standard .NET configuration sources such as appsettings.json, environment variables, or a secrets manager, making deployment configuration simpler and more consistent with other .NET settings.

• AuthorizeInteractionPageHttpWriter Now Public - The AuthorizeInteractionPageHttpWriter class is now part of the public API, giving you full control over how IdentityServer writes authorization interaction responses without relying on internal implementation details.

Breaking Changes

See the upgrade guide for full migration instructions.

Removals & Behavioral Changes

• ICancellationTokenProvider removed - Cancellation tokens are now passed directly via method parameters throughout the framework.
• PreviewFeatureOptions removed - All preview features have graduated to stable; their configuration options have been moved to the appropriate standard options classes.
• IdentityServerLicense class removed - License handling has been updated. LicenseUsageSummary.LicenseEdition is replaced by EntitledSkus.
• Device flow no longer remembers consent - Users will be prompted to consent on each device flow authorization. This change removes a pattern that could allow unintended persistent access.
• AuthorizationError renamed to InteractionError - Update any references to this type in your codebase.

Database Migration Required

SAML 2.0 support adds 10 new database tables. If you use the EF Core stores, run the provided migrations as part of your upgrade:

• Configuration store (7 new tables): SamlServiceProviders, SamlAllowedScopes, SamlAssertionConsumerServices, SamlAuthnContextMappings, SamlCertificates, SamlClaimMappings, SamlRequestedClaimTypes
• Operational store (3 new tables): SamlLogoutSessions, SamlSigninStates, SamlLogoutSessionRequestIndices

See the upgrade guide for the exact dotnet ef migration commands.

Further Reading

• Upgrade guide: v7.4 → v8.0
• IdentityServer documentation
• SAML 2.0 documentation
• Conformance Report documentation
• User Management documentation

This release adds a disclaimer to the README clarifying that AI developer tools provide context but do not guarantee the correctness, security, or completeness of AI-generated output.

What's Changed

Documentation: Added a Disclaimer section to the README that clarifies:

• Duende's AI developer tools improve the quality of AI-assisted development but do not guarantee correctness, security, or completeness of AI-generated output
• All code, configuration, and architectural decisions produced with AI assistance must be reviewed and validated by qualified developers before deployment
• The MCP Server serves context to LLMs — it does not validate or enforce correctness of the LLM's output
• Users should always verify AI-generated guidance against the official documentation at docs.duendesoftware.com

This is a patch release that fixes a thread-safety bug in DPoP proof validation.

What's Changed

Bug Fix: Fixed a race condition in DPoPProofValidator.ValidateToken() where the shared TokenValidationParameters singleton had its IssuerSigningKey overwritten by concurrent requests using different DPoP keys, causing intermittent IDX10503 signature validation failures (~5-10% failure rate under load with multiple DPoP keys).

The fix clones TokenValidationParameters before mutation so each request operates on its own copy.

• Update Duende.IdentityModel dependency to 8.0.1

• Update Duende.IdentityModel dependency to 8.0.1

This is a minor release for BFF that fixes two issues:

What's Changed

• Fixes: BFF will crash when openid connect options are retrieved outside of HTTP Request context. @Erwinvandervalk in #2348
• Fixes: Stackoverflow when BFF is explicitly configured with Authentication schemes, but without ForbidScheme (#2363) by @Erwinvandervalk in #2364