From 8ad151f94d540a1d72b3d11d6264e886a7afee1b Mon Sep 17 00:00:00 2001 From: Khalid Abuhakmeh Date: Tue, 28 Apr 2026 14:27:46 -0400 Subject: [PATCH 1/5] Created distinct `/reference/vX` folders and ported API changes from the future release. (#1074) --- astro/astro.config.mjs | 2 +- .../session/management/back-channel-logout.md | 2 +- .../fundamentals/session/management/user.md | 2 +- .../apis/aspnetcore/authorization.md | 2 +- .../identityserver/aspnet-identity/schemes.md | 2 +- .../docs/identityserver/configuration/dcr.mdx | 16 +- .../{configuration.md => configuration.mdx} | 81 +- .../content/docs/identityserver/data/ef.md | 2 +- .../docs/identityserver/data/operational.md | 20 +- .../docs/identityserver/deployment/index.md | 4 +- .../docs/identityserver/diagnostics/data.mdx | 10 +- .../identityserver/fundamentals/claims.md | 10 +- .../identityserver/fundamentals/hosting.md | 4 +- .../fundamentals/key-management.md | 6 +- .../fundamentals/resources/api-resources.md | 2 +- .../fundamentals/resources/identity.md | 6 +- .../docs/identityserver/fundamentals/users.md | 2 +- .../quickstarts/1-client-credentials.md | 2 +- .../identityserver/quickstarts/5-aspnetid.md | 2 +- .../identityserver/reference/dcr/response.md | 40 - .../identityserver/reference/v7/_meta.yml | 2 + .../reference/{ => v7}/dcr/_meta.yml | 0 .../identityserver/reference/v7/dcr/models.md | 173 ++++ .../reference/v7/dcr/options.md | 40 + .../reference/v7/dcr/processing.md | 67 ++ .../reference/v7/dcr/response.md | 38 + .../identityserver/reference/v7/dcr/store.md | 28 + .../reference/v7/dcr/validation.md | 81 ++ .../docs/identityserver/reference/v7/di.md | 223 +++++ .../reference/{ => v7}/efoptions/_meta.yml | 0 .../reference/v7/efoptions/configuration.md | 85 ++ .../reference/v7/efoptions/index.md | 11 + .../reference/v7/efoptions/operational.md | 86 ++ .../reference/{ => v7}/endpoints/_meta.yml | 0 .../reference/v7/endpoints/authorize.md | 161 ++++ .../reference/v7/endpoints/ciba.md | 156 ++++ .../v7/endpoints/device-authorization.md | 50 ++ .../reference/v7/endpoints/discovery.md | 86 ++ .../reference/v7/endpoints/end-session.md | 54 ++ .../reference/v7/endpoints/introspection.md | 125 +++ .../{ => v7}/endpoints/oauth-metadata.md | 2 +- .../reference/v7/endpoints/revocation.md | 50 ++ .../reference/v7/endpoints/token.md | 120 +++ .../reference/v7/endpoints/userinfo.md | 65 ++ .../reference/{ => v7}/models/_meta.yml | 0 .../reference/v7/models/api-resource.md | 94 +++ .../reference/v7/models/api-scope.md | 75 ++ .../reference/v7/models/ciba-login-request.md | 48 ++ .../reference/v7/models/client.md | 359 ++++++++ .../v7/models/grant-validation-result.md | 68 ++ .../reference/v7/models/identity-resource.md | 64 ++ .../identityserver/reference/v7/models/idp.md | 84 ++ .../v7/models/license-usage-summary.md | 94 +++ .../reference/v7/models/secrets.md | 105 +++ .../reference/{ => v7}/options.md | 6 +- .../{ => v7}/response-handling/_meta.yml | 0 ...uthorize-interaction-response-generator.md | 63 ++ .../response-handling/http-response-writer.md | 47 ++ .../reference/v7/response-handling/index.md | 13 + .../token_response_generator.md | 1 - .../reference/{ => v7}/services/_meta.yml | 0 .../services/ciba-interaction-service.md | 6 +- .../services/ciba-user-notification.md | 4 +- .../device-flow-interaction-service.md | 2 - .../{ => v7}/services/interaction-service.md | 4 +- .../services/persisted-grant-service.md | 2 - .../{ => v7}/services/profile-service.md | 4 - .../services/refresh-token-service.md | 2 - .../services/session-management-service.md | 2 - .../v7/services/token-creation-service.md | 83 ++ .../{ => v7}/services/user-session-service.md | 22 +- .../reference/{ => v7}/stores/_meta.yml | 0 .../stores/backchannel-auth-request-store.md | 2 - .../reference/v7/stores/client-store.md | 28 + .../v7/stores/cors-policy-service.md | 29 + .../reference/v7/stores/device-flow-store.md | 151 ++++ .../reference/{ => v7}/stores/idp-store.md | 4 +- .../reference/v7/stores/index.md | 24 + .../{ => v7}/stores/persisted-grant-store.md | 8 +- .../pushed-authorization-request-store.md | 90 ++ .../{ => v7}/stores/resource-store.md | 2 - .../v7/stores/server-side-sessions.md | 228 +++++ .../{ => v7}/stores/signing-key-store.md | 2 - .../reference/{ => v7}/validators/_meta.yml | 0 .../validators/ciba-user-validator.md | 2 - .../custom-authorize-request-validator.md | 36 + .../custom-token-request-validator.md | 43 + .../validators/dpop-proof-validator.md | 2 - .../validators/extension-grant-validator.md | 4 +- .../identityserver/reference/v8/_meta.yml | 3 + .../identityserver/reference/v8/dcr/_meta.yml | 2 + .../reference/{ => v8}/dcr/models.md | 117 +-- .../reference/{ => v8}/dcr/options.md | 17 +- .../reference/{ => v8}/dcr/processing.md | 29 +- .../reference/v8/dcr/response.md | 41 + .../reference/{ => v8}/dcr/store.md | 9 +- .../reference/{ => v8}/dcr/validation.md | 44 +- .../identityserver/reference/{ => v8}/di.md | 9 +- .../reference/v8/efoptions/_meta.yml | 2 + .../{ => v8}/efoptions/configuration.md | 2 +- .../reference/{ => v8}/efoptions/index.md | 2 +- .../{ => v8}/efoptions/operational.md | 2 +- .../reference/v8/endpoints/_meta.yml | 2 + .../reference/{ => v8}/endpoints/authorize.md | 4 +- .../reference/{ => v8}/endpoints/ciba.md | 2 +- .../endpoints/device-authorization.md | 3 +- .../reference/{ => v8}/endpoints/discovery.md | 2 +- .../{ => v8}/endpoints/end-session.md | 3 +- .../{ => v8}/endpoints/introspection.md | 2 +- .../reference/v8/endpoints/oauth-metadata.md | 27 + .../{ => v8}/endpoints/revocation.md | 2 +- .../reference/{ => v8}/endpoints/token.md | 2 +- .../reference/{ => v8}/endpoints/userinfo.md | 2 +- .../reference/v8/models/_meta.yml | 2 + .../reference/{ => v8}/models/api-resource.md | 7 +- .../reference/{ => v8}/models/api-scope.md | 3 +- .../{ => v8}/models/ciba-login-request.md | 2 +- .../reference/{ => v8}/models/client.md | 2 +- .../models/grant-validation-result.md | 2 +- .../{ => v8}/models/identity-resource.md | 2 +- .../reference/{ => v8}/models/idp.md | 2 +- .../{ => v8}/models/license-usage-summary.md | 2 +- .../reference/{ => v8}/models/secrets.md | 2 +- .../identityserver/reference/v8/options.md | 799 ++++++++++++++++++ .../reference/v8/response-handling/_meta.yml | 2 + ...uthorize-interaction-response-generator.md | 2 +- .../response-handling/http-response-writer.md | 2 +- .../{ => v8}/response-handling/index.md | 2 +- .../token_response_generator.md | 108 +++ .../reference/v8/services/_meta.yml | 2 + .../v8/services/ciba-interaction-service.md | 66 ++ .../v8/services/ciba-user-notification.md | 24 + .../device-flow-interaction-service.md | 51 ++ .../v8/services/interaction-service.md | 247 ++++++ .../v8/services/persisted-grant-service.md | 98 +++ .../reference/v8/services/profile-service.md | 118 +++ .../v8/services/refresh-token-service.md | 80 ++ .../v8/services/session-management-service.md | 137 +++ .../services/token-creation-service.md | 4 +- .../v8/services/user-session-service.md | 60 ++ .../reference/v8/stores/_meta.yml | 2 + .../stores/backchannel-auth-request-store.md | 139 +++ .../reference/{ => v8}/stores/client-store.md | 2 +- .../{ => v8}/stores/cors-policy-service.md | 2 +- .../{ => v8}/stores/device-flow-store.md | 2 +- .../reference/v8/stores/idp-store.md | 40 + .../reference/{ => v8}/stores/index.md | 2 +- .../v8/stores/persisted-grant-store.md | 211 +++++ .../pushed-authorization-request-store.md | 2 +- .../reference/v8/stores/resource-store.md | 48 ++ .../stores/saml-service-provider-store.md | 4 +- .../{ => v8}/stores/server-side-sessions.md | 2 +- .../reference/v8/stores/signing-key-store.md | 96 +++ .../reference/v8/validators/_meta.yml | 2 + .../v8/validators/ciba-user-validator.md | 74 ++ .../custom-authorize-request-validator.md | 6 +- .../custom-token-request-validator.md | 4 +- .../v8/validators/dpop-proof-validator.md | 115 +++ .../validators/extension-grant-validator.md | 52 ++ .../tokens/client-authentication.md | 10 +- .../docs/identityserver/tokens/cors.md | 4 +- .../tokens/dynamic-validation.md | 2 +- .../identityserver/tokens/extension-grants.md | 6 +- .../docs/identityserver/tokens/index.md | 4 +- .../content/docs/identityserver/tokens/jar.md | 4 +- .../identityserver/tokens/password-grant.md | 4 +- .../content/docs/identityserver/tokens/pop.md | 4 +- .../docs/identityserver/tokens/reference.md | 2 +- .../docs/identityserver/tokens/refresh.md | 6 +- .../docs/identityserver/tokens/requesting.md | 4 +- .../content/docs/identityserver/ui/ciba.md | 12 +- .../content/docs/identityserver/ui/consent.md | 8 +- .../content/docs/identityserver/ui/custom.md | 4 +- .../content/docs/identityserver/ui/error.md | 6 +- .../docs/identityserver/ui/federation.md | 4 +- .../docs/identityserver/ui/login/context.md | 4 +- .../ui/login/dynamicproviders.md | 16 +- .../docs/identityserver/ui/login/redirect.md | 2 +- .../docs/identityserver/ui/login/session.md | 10 +- .../ui/logout/client-redirect.md | 2 +- .../docs/identityserver/ui/logout/external.md | 2 +- .../ui/logout/logout-context.md | 4 +- .../identityserver/ui/logout/notification.md | 6 +- .../ui/logout/session-cleanup.md | 6 +- .../inactivity-timeout.md | 4 +- .../ui/server-side-sessions/index.md | 8 +- .../session-expiration.mdx | 4 +- .../session-management.md | 2 +- ...ityserver4-to-duende-identityserver-v7.mdx | 4 +- ...yserver4-v4-to-duende-identityserver-v6.md | 2 +- .../identityserver/upgrades/v5_1-to-v5_2.md | 2 +- .../identityserver/upgrades/v5_2-to-v6_0.md | 2 +- .../identityserver/upgrades/v6_0-to-v6_1.md | 2 +- .../identityserver/upgrades/v6_2-to-v6_3.md | 6 +- .../identityserver/upgrades/v6_3-to-v7_0.md | 2 +- 195 files changed, 6564 insertions(+), 400 deletions(-) rename astro/src/content/docs/identityserver/data/{configuration.md => configuration.mdx} (53%) delete mode 100644 astro/src/content/docs/identityserver/reference/dcr/response.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/_meta.yml rename astro/src/content/docs/identityserver/reference/{ => v7}/dcr/_meta.yml (100%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/dcr/models.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/dcr/options.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/dcr/processing.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/dcr/response.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/dcr/store.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/dcr/validation.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/di.md rename astro/src/content/docs/identityserver/reference/{ => v7}/efoptions/_meta.yml (100%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/efoptions/configuration.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/efoptions/index.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/efoptions/operational.md rename astro/src/content/docs/identityserver/reference/{ => v7}/endpoints/_meta.yml (100%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/authorize.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/ciba.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/device-authorization.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/discovery.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/end-session.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/introspection.md rename astro/src/content/docs/identityserver/reference/{ => v7}/endpoints/oauth-metadata.md (89%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/revocation.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/token.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/endpoints/userinfo.md rename astro/src/content/docs/identityserver/reference/{ => v7}/models/_meta.yml (100%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/api-resource.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/api-scope.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/ciba-login-request.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/client.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/grant-validation-result.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/identity-resource.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/idp.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/license-usage-summary.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/models/secrets.md rename astro/src/content/docs/identityserver/reference/{ => v7}/options.md (99%) rename astro/src/content/docs/identityserver/reference/{ => v7}/response-handling/_meta.yml (100%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/response-handling/authorize-interaction-response-generator.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/response-handling/http-response-writer.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/response-handling/index.md rename astro/src/content/docs/identityserver/reference/{ => v7}/response-handling/token_response_generator.md (98%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/_meta.yml (100%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/ciba-interaction-service.md (90%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/ciba-user-notification.md (79%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/device-flow-interaction-service.md (90%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/interaction-service.md (96%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/persisted-grant-service.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/profile-service.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/refresh-token-service.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v7}/services/session-management-service.md (96%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/services/token-creation-service.md rename astro/src/content/docs/identityserver/reference/{ => v7}/services/user-session-service.md (59%) rename astro/src/content/docs/identityserver/reference/{ => v7}/stores/_meta.yml (100%) rename astro/src/content/docs/identityserver/reference/{ => v7}/stores/backchannel-auth-request-store.md (96%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/stores/client-store.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/stores/cors-policy-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/stores/device-flow-store.md rename astro/src/content/docs/identityserver/reference/{ => v7}/stores/idp-store.md (90%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/stores/index.md rename astro/src/content/docs/identityserver/reference/{ => v7}/stores/persisted-grant-store.md (97%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/stores/pushed-authorization-request-store.md rename astro/src/content/docs/identityserver/reference/{ => v7}/stores/resource-store.md (92%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/stores/server-side-sessions.md rename astro/src/content/docs/identityserver/reference/{ => v7}/stores/signing-key-store.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v7}/validators/_meta.yml (100%) rename astro/src/content/docs/identityserver/reference/{ => v7}/validators/ciba-user-validator.md (94%) create mode 100644 astro/src/content/docs/identityserver/reference/v7/validators/custom-authorize-request-validator.md create mode 100644 astro/src/content/docs/identityserver/reference/v7/validators/custom-token-request-validator.md rename astro/src/content/docs/identityserver/reference/{ => v7}/validators/dpop-proof-validator.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v7}/validators/extension-grant-validator.md (86%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/_meta.yml create mode 100644 astro/src/content/docs/identityserver/reference/v8/dcr/_meta.yml rename astro/src/content/docs/identityserver/reference/{ => v8}/dcr/models.md (64%) rename astro/src/content/docs/identityserver/reference/{ => v8}/dcr/options.md (57%) rename astro/src/content/docs/identityserver/reference/{ => v8}/dcr/processing.md (65%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/dcr/response.md rename astro/src/content/docs/identityserver/reference/{ => v8}/dcr/store.md (76%) rename astro/src/content/docs/identityserver/reference/{ => v8}/dcr/validation.md (50%) rename astro/src/content/docs/identityserver/reference/{ => v8}/di.md (93%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/efoptions/_meta.yml rename astro/src/content/docs/identityserver/reference/{ => v8}/efoptions/configuration.md (97%) rename astro/src/content/docs/identityserver/reference/{ => v8}/efoptions/index.md (91%) rename astro/src/content/docs/identityserver/reference/{ => v8}/efoptions/operational.md (98%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/endpoints/_meta.yml rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/authorize.md (97%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/ciba.md (98%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/device-authorization.md (92%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/discovery.md (98%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/end-session.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/introspection.md (98%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/endpoints/oauth-metadata.md rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/revocation.md (96%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/token.md (98%) rename astro/src/content/docs/identityserver/reference/{ => v8}/endpoints/userinfo.md (96%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/models/_meta.yml rename astro/src/content/docs/identityserver/reference/{ => v8}/models/api-resource.md (93%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/api-scope.md (94%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/ciba-login-request.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/client.md (99%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/grant-validation-result.md (96%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/identity-resource.md (97%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/idp.md (98%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/license-usage-summary.md (98%) rename astro/src/content/docs/identityserver/reference/{ => v8}/models/secrets.md (98%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/options.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/response-handling/_meta.yml rename astro/src/content/docs/identityserver/reference/{ => v8}/response-handling/authorize-interaction-response-generator.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v8}/response-handling/http-response-writer.md (95%) rename astro/src/content/docs/identityserver/reference/{ => v8}/response-handling/index.md (96%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/response-handling/token_response_generator.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/_meta.yml create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/ciba-interaction-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/ciba-user-notification.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/device-flow-interaction-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/interaction-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/persisted-grant-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/profile-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/refresh-token-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/session-management-service.md rename astro/src/content/docs/identityserver/reference/{ => v8}/services/token-creation-service.md (95%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/services/user-session-service.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/stores/_meta.yml create mode 100644 astro/src/content/docs/identityserver/reference/v8/stores/backchannel-auth-request-store.md rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/client-store.md (96%) rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/cors-policy-service.md (93%) rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/device-flow-store.md (98%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/stores/idp-store.md rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/index.md (96%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/stores/persisted-grant-store.md rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/pushed-authorization-request-store.md (97%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/stores/resource-store.md rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/saml-service-provider-store.md (87%) rename astro/src/content/docs/identityserver/reference/{ => v8}/stores/server-side-sessions.md (98%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/stores/signing-key-store.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/validators/_meta.yml create mode 100644 astro/src/content/docs/identityserver/reference/v8/validators/ciba-user-validator.md rename astro/src/content/docs/identityserver/reference/{ => v8}/validators/custom-authorize-request-validator.md (89%) rename astro/src/content/docs/identityserver/reference/{ => v8}/validators/custom-token-request-validator.md (94%) create mode 100644 astro/src/content/docs/identityserver/reference/v8/validators/dpop-proof-validator.md create mode 100644 astro/src/content/docs/identityserver/reference/v8/validators/extension-grant-validator.md diff --git a/astro/astro.config.mjs b/astro/astro.config.mjs index a1aaadf1e..cf6f148ee 100644 --- a/astro/astro.config.mjs +++ b/astro/astro.config.mjs @@ -117,7 +117,7 @@ export default defineConfig({ errorOnFallbackPages: false, errorOnInconsistentLocale: true, errorOnRelativeLinks: false, - errorOnLocalLinks: false, + errorOnLocalLinks: false }), ], title: "Duende Software Docs", diff --git a/astro/src/content/docs/bff/fundamentals/session/management/back-channel-logout.md b/astro/src/content/docs/bff/fundamentals/session/management/back-channel-logout.md index 943dc29b2..7dfde31ba 100644 --- a/astro/src/content/docs/bff/fundamentals/session/management/back-channel-logout.md +++ b/astro/src/content/docs/bff/fundamentals/session/management/back-channel-logout.md @@ -23,7 +23,7 @@ involving the user's browser. This design avoids problems with 3rd party cookies The back-channel logout endpoint is invoked by the remote identity provider when it determines that sessions should be ended. IdentityServer will send back-channel logout requests if -you [configure](/identityserver/reference/models/client.md#authentication--session-management) your client's +you [configure](/identityserver/reference/v8/models/client.md#authentication--session-management) your client's `BackChannelLogoutUri`. When a session ends at IdentityServer, any client that was participating in that session that has a back-channel logout URI configured will be sent a back-channel logout request. This typically happens when another application signs out. [Expiration](/identityserver/ui/server-side-sessions/session-expiration.mdx) diff --git a/astro/src/content/docs/bff/fundamentals/session/management/user.md b/astro/src/content/docs/bff/fundamentals/session/management/user.md index 7dd28e71b..037bf2422 100644 --- a/astro/src/content/docs/bff/fundamentals/session/management/user.md +++ b/astro/src/content/docs/bff/fundamentals/session/management/user.md @@ -66,7 +66,7 @@ handler's [ClaimAction](https://docs.microsoft.com/en-us/dotnet/API/microsoft.as infrastructure, or by using [claims transformation](https://docs.microsoft.com/en-us/dotnet/API/microsoft.aspnetcore.authentication.iclaimstransformation?view=aspnetcore-7.0). For example, if you add a [claim](/identityserver/fundamentals/claims.md) to -the [userinfo endpoint](/identityserver/reference/endpoints/userinfo.md) at IdentityServer that you would like to include +the [userinfo endpoint](/identityserver/reference/v8/endpoints/userinfo.md) at IdentityServer that you would like to include in the */bff/user* endpoint, you need to add a corresponding ClaimAction in the BFF's OpenID Connect Handler to include the claim in the BFF's session. diff --git a/astro/src/content/docs/identityserver/apis/aspnetcore/authorization.md b/astro/src/content/docs/identityserver/apis/aspnetcore/authorization.md index 195fbd19a..61e37c771 100644 --- a/astro/src/content/docs/identityserver/apis/aspnetcore/authorization.md +++ b/astro/src/content/docs/identityserver/apis/aspnetcore/authorization.md @@ -71,7 +71,7 @@ app.MapGet("/", () => Historically, Duende IdentityServer emitted the `scope` claims as an array in the JWT. This works very well with the .NET deserialization logic, which turns every array item into a separate claim of type `scope`. -The newer *JWT Profile for OAuth* [spec](/identityserver/overview/specs.md) mandates that the scope claim is a single space delimited string. You can switch the format by setting the `EmitScopesAsSpaceDelimitedStringInJwt` on the [options](/identityserver/reference/options.md). But this means that the code consuming access tokens might need to be adjusted. The following code can do a conversion to the *multiple claims* format that .NET prefers: +The newer *JWT Profile for OAuth* [spec](/identityserver/overview/specs.md) mandates that the scope claim is a single space delimited string. You can switch the format by setting the `EmitScopesAsSpaceDelimitedStringInJwt` on the [options](/identityserver/reference/v8/options.md). But this means that the code consuming access tokens might need to be adjusted. The following code can do a conversion to the *multiple claims* format that .NET prefers: ```csharp namespace IdentityModel.AspNetCore.AccessTokenValidation; diff --git a/astro/src/content/docs/identityserver/aspnet-identity/schemes.md b/astro/src/content/docs/identityserver/aspnet-identity/schemes.md index 44e608e0d..132036b52 100644 --- a/astro/src/content/docs/identityserver/aspnet-identity/schemes.md +++ b/astro/src/content/docs/identityserver/aspnet-identity/schemes.md @@ -60,7 +60,7 @@ IdentityServer always uses the `"idsrv.external"` scheme here, available in the ### Check Session Cookie IdentityServer session management requires a separate cookie to monitor the session state without sending the large authentication cookie. -The [User Session Service](/identityserver/reference/services/user-session-service.md) manages this cookie. +The [User Session Service](/identityserver/reference/v8/services/user-session-service.md) manages this cookie. - **Default Name:** `"idsrv.session"` (Constant: `IdentityServerConstants.DefaultCheckSessionCookieName`). diff --git a/astro/src/content/docs/identityserver/configuration/dcr.mdx b/astro/src/content/docs/identityserver/configuration/dcr.mdx index 7f01c6478..996e2ecf8 100644 --- a/astro/src/content/docs/identityserver/configuration/dcr.mdx +++ b/astro/src/content/docs/identityserver/configuration/dcr.mdx @@ -109,7 +109,7 @@ create a new ASP.NET Core Web application which will host the Configuration API. needs an implementation of this interface. You can either use the Entity Framework Core-based implementation, or implement - the interface yourself. See [the IClientConfigurationStore reference](/identityserver/reference/stores/index.md) + the interface yourself. See [the IClientConfigurationStore reference](/identityserver/reference/v8/stores/index.md) for more details. If you wish to use the built-in implementation, install its NuGet package and add it to the ASP.NET Core service provider. @@ -163,7 +163,7 @@ and configure the store implementation. needs an implementation of this interface. You can either use the Entity Framework Core-based implementation, or implement - the interface yourself. See [the IClientConfigurationStore reference](/identityserver/reference/stores/index.md) + the interface yourself. See [the IClientConfigurationStore reference](/identityserver/reference/v8/stores/index.md) for more details. If you wish to use the built-in implementation, install its NuGet package and add it to the ASP.NET Core service provider. @@ -192,7 +192,7 @@ and configure the store implementation. ### Adding the Registration Endpoint to the Discovery Document -By default, the Dynamic Client Registration (DCR) endpoint is not included in the [discovery document](/identityserver/reference/endpoints/discovery.md) of Duende IdentityServer. +By default, the Dynamic Client Registration (DCR) endpoint is not included in the [discovery document](/identityserver/reference/v8/endpoints/discovery.md) of Duende IdentityServer. To include it, change the Discovery Document options when registering IdentityServer in the service collection: @@ -263,7 +263,7 @@ authentication scheme and an authorization policy that requires a particular scope to be present in the JWTs. You could choose any name for the scope that gives access to the Configuration APIs. Let's use the name `IdentityServer.Configuration` for this example. You would then define the -`IdentityServer.Configuration` scope as an [ApiScope](/identityserver/reference/models/api-scope.md) in your +`IdentityServer.Configuration` scope as an [ApiScope](/identityserver/reference/v8/models/api-scope.md) in your IdentityServer and allow the appropriate clients to access it. An automated process running in a CI pipeline could be configured as an OAuth client @@ -301,7 +301,7 @@ The registration endpoint is invoked by making an HTTP POST request to the `/con with a JSON payload containing metadata describing the desired client as described in [RFC 7591](https://datatracker.ietf.org/doc/rfc7591/) and [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html). -The supported metadata properties are listed in the reference section on the [`DynamicClientRegistrationRequest` model](/identityserver/reference/dcr/models.md#dynamicclientregistrationrequest). +The supported metadata properties are listed in the reference section on the [`DynamicClientRegistrationRequest` model](/identityserver/reference/v8/dcr/models.md#dynamicclientregistrationrequest). A mixture of standardized and IdentityServer-specific properties are supported. Most standardized properties that are applicable to the client credentials or code flow grants are supported. @@ -346,7 +346,7 @@ the original request, the claims principal that made the request, and a dictiona pass state between customized steps. Each step should update the client in the context and return an `IStepResult` to indicate success or failure. -For more details, see the [reference section on DCR validation](/identityserver/reference/dcr/validation.md). +For more details, see the [reference section on DCR validation](/identityserver/reference/v8/dcr/validation.md). ### Processing @@ -354,11 +354,11 @@ The request processor can be customized by implementing the `IDynamicClientRegis or by extending the default `DynamicClientRegistrationRequestProcessor`. The default request processor contains virtual methods that allow you to override (part of) its functionality. -For more details, see the [reference section on DCR request processing](/identityserver/reference/dcr/processing.md). +For more details, see the [reference section on DCR request processing](/identityserver/reference/v8/dcr/processing.md). ### Response Generation To customize the HTTP responses of the Configuration API, you can implement the `IDynamicClientRegistrationResponseGenerator` interface, or extend the default `DynamicClientRegistrationResponseGenerator`. -For more details, see the [reference section on DCR response generation](/identityserver/reference/dcr/response.md). \ No newline at end of file +For more details, see the [reference section on DCR response generation](/identityserver/reference/v8/dcr/response.md). \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/data/configuration.md b/astro/src/content/docs/identityserver/data/configuration.mdx similarity index 53% rename from astro/src/content/docs/identityserver/data/configuration.md rename to astro/src/content/docs/identityserver/data/configuration.mdx index fd2402374..f47e13423 100644 --- a/astro/src/content/docs/identityserver/data/configuration.md +++ b/astro/src/content/docs/identityserver/data/configuration.mdx @@ -18,18 +18,18 @@ and [Resources](/identityserver/fundamentals/resources). Store interfaces are designed to abstract accessing the configuration data. The stores used in Duende IdentityServer are: -* [Client store](/identityserver/reference/stores/client-store.md) for `Client` data. -* [CORS policy service](/identityserver/reference/stores/cors-policy-service.md) +* [Client store](/identityserver/reference/v8/stores/client-store.md) for `Client` data. +* [CORS policy service](/identityserver/reference/v8/stores/cors-policy-service.md) for [CORS support](/identityserver/tokens/cors.md). Given that this is so closely tied to the `Client` configuration data, the CORS policy service is considered one of the configuration stores. -* [Resource store](/identityserver/reference/stores/resource-store.md) for `IdentityResource`, `ApiResource`, and +* [Resource store](/identityserver/reference/v8/stores/resource-store.md) for `IdentityResource`, `ApiResource`, and `ApiScope` data. -* [Identity Provider store](/identityserver/reference/stores/idp-store.md) for `IdentityProvider` data. +* [Identity Provider store](/identityserver/reference/v8/stores/idp-store.md) for `IdentityProvider` data. ## Registering Custom Stores Custom implementations of the stores must be registered in the ASP.NET Core service provider. -There are [convenience methods](/identityserver/reference/di.md#configuration-stores) for registering these. +There are [convenience methods](/identityserver/reference/v8/di.md#configuration-stores) for registering these. For example: ```csharp @@ -38,7 +38,7 @@ builder.Services.AddIdentityServer() .AddClientStore() .AddCorsPolicyService() .AddResourceStore() - .AddIdentityProviderStore(); + .AddIdentityProviderStore(); ``` ## Caching Configuration Data @@ -47,7 +47,65 @@ Configuration data is used frequently during request processing. If this data is loaded from a database or other external store, then it might be expensive to frequently re-load the same data. -Duende IdentityServer provides [convenience methods](/identityserver/reference/di.md#caching-configuration-data) to +import { Tabs, TabItem } from '@astrojs/starlight/components'; + + + + +Duende IdentityServer provides [convenience methods](/identityserver/reference/v8/di#caching-configuration-data) to +enable caching data from the various stores. +The caching implementation is built on Microsoft's [`HybridCache`](https://learn.microsoft.com/en-us/aspnet/core/performance/caching/hybrid) from the `Microsoft.Extensions.Caching.Hybrid` package, registered as a [keyed service](https://learn.microsoft.com/en-us/dotnet/core/extensions/dependency-injection#keyed-services) under `ServiceProviderKeys.ConfigurationStoreCache`. For example: + +```csharp +// Program.cs +builder.Services.AddIdentityServer() + .AddClientStore() + .AddCorsPolicyService() + .AddResourceStore() + .AddInMemoryCaching() + .AddClientStoreCache() + .AddCorsPolicyCache() + .AddResourceStoreCache() + .AddIdentityProviderStoreCache(); +``` + +For Entity Framework users, there is a convenience method `AddConfigurationStoreCache()` that enables caching for all configuration stores at once: + +```csharp +// Program.cs +builder.Services.AddIdentityServer() + .AddConfigurationStore(...) + .AddConfigurationStoreCache(); +``` + +The duration of the data in the default cache is configurable on +the [`IdentityServerOptions`](/identityserver/reference/v8/options#caching). +For example: + +```csharp +// Program.cs +builder.Services.AddIdentityServer(options => { + options.Caching.ClientStoreExpiration = TimeSpan.FromMinutes(5); + options.Caching.ResourceStoreExpiration = TimeSpan.FromMinutes(5); +}) + .AddClientStore() + .AddCorsPolicyService() + .AddResourceStore() + .AddInMemoryCaching() + .AddClientStoreCache() + .AddCorsPolicyCache() + .AddResourceStoreCache(); +``` + +Further customization of the cache is possible: + +* The caching stores use a keyed `HybridCache` instance registered under `ServiceProviderKeys.ConfigurationStoreCache`. You can customize the `HybridCache` behavior by configuring the keyed service registration (e.g., adding a distributed cache backend via `IDistributedCache`). +* By default, only the L1 (in-memory) cache tier is used. To enable L2 (distributed) caching, register an `IDistributedCache` implementation (e.g., Redis via `AddStackExchangeRedisCache`). `HybridCache` will automatically use it as the L2 tier. + + + + +Duende IdentityServer provides [convenience methods](/identityserver/reference/v8/di.md#caching-configuration-data) to enable caching data from the various stores. The caching implementation relies upon an `ICache` service and must also be added to the ASP.NET Core service provider. For example: @@ -62,11 +120,11 @@ builder.Services.AddIdentityServer() .AddClientStoreCache() .AddCorsPolicyCache() .AddResourceStoreCache() - .AddIdentityProviderStoreCache(); + .AddIdentityProviderStoreCache(); ``` The duration of the data in the default cache is configurable on -the [IdentityServerOptions](/identityserver/reference/options.md#caching). +the [`IdentityServerOptions`](/identityserver/reference/v8/options#caching). For example: ```csharp @@ -93,9 +151,12 @@ Further customization of the cache is possible: If you wish to customize the in-memory caching behavior, you can replace the `IMemoryCache` implementation in the dependency injection system. + + + ## In-Memory Stores -The various [in-memory configuration APIs](/identityserver/reference/di.md#configuration-stores) allow for configuring +The various [in-memory configuration APIs](/identityserver/reference/v8/di.md#configuration-stores) allow for configuring IdentityServer from an in-memory list of the various configuration objects. These in-memory collections can be hard-coded in the hosting application, or could be loaded dynamically from a configuration file or a database. diff --git a/astro/src/content/docs/identityserver/data/ef.md b/astro/src/content/docs/identityserver/data/ef.md index d075a3d25..9ac6ababf 100644 --- a/astro/src/content/docs/identityserver/data/ef.md +++ b/astro/src/content/docs/identityserver/data/ef.md @@ -142,7 +142,7 @@ This options class contains properties to control the operational store and `Per :::note -The token cleanup feature does `not` remove persisted grants that are `consumed` (see [persisted grants](/identityserver/reference/stores/persisted-grant-store.md)). It only removes persisted grants that are beyond their `Expiration`. +The token cleanup feature does `not` remove persisted grants that are `consumed` (see [persisted grants](/identityserver/reference/v8/stores/persisted-grant-store.md)). It only removes persisted grants that are beyond their `Expiration`. ::: ## Database Creation And Schema Changes Across Different IdentityServer Versions diff --git a/astro/src/content/docs/identityserver/data/operational.md b/astro/src/content/docs/identityserver/data/operational.md index b473f8fd0..6dca116d1 100644 --- a/astro/src/content/docs/identityserver/data/operational.md +++ b/astro/src/content/docs/identityserver/data/operational.md @@ -33,8 +33,8 @@ These include authorization and device codes, reference and refresh tokens, and ### Stores The persistence for grants is abstracted behind two interfaces: -* The [persisted grant store](/identityserver/reference/stores/persisted-grant-store.md) is a common store for most grants. -* The [device flow store](/identityserver/reference/stores/device-flow-store.md) is a specialized store for device grants. +* The [persisted grant store](/identityserver/reference/v8/stores/persisted-grant-store.md) is a common store for most grants. +* The [device flow store](/identityserver/reference/v8/stores/device-flow-store.md) is a specialized store for device grants. ### Registering Custom Stores @@ -57,14 +57,14 @@ Some grant types are one-time use only (either by definition or configuration). Once they are "used", rather than deleting the record, the `ConsumedTime` value is set in the database marking them as having been used. This "soft delete" allows for custom implementations to either have flexibility in allowing a grant to be re-used (typically within a short window of time), or to be used in risk assessment and threat mitigation scenarios (where suspicious activity is detected) to revoke access. -For refresh tokens, this sort of custom logic would be performed in the [IRefreshTokenService](/identityserver/reference/services/refresh-token-service.md). +For refresh tokens, this sort of custom logic would be performed in the [IRefreshTokenService](/identityserver/reference/v8/services/refresh-token-service.md). ### Grant Data The `Data` property of the model contains the authoritative copy of the values in the store. This data is protected at rest using the ASP.NET Data Protection API. Except for `ConsumedTime`, the other properties of the model should be treated as read-only. ### Persisted Grant Service Working with the grants store directly might be too low level. -As such, a higher level service called the [IPersistedGrantService](/identityserver/reference/services/persisted-grant-service.md) is provided. +As such, a higher level service called the [IPersistedGrantService](/identityserver/reference/v8/services/persisted-grant-service.md) is provided. It abstracts and aggregates the different grant types into one concept, and allows querying and revoking the persisted grants for a user. ## Keys @@ -73,7 +73,7 @@ The [automatic key management](/identityserver/fundamentals/key-management.md#au ### Signing Key Store By default, the file system is used, but the storage of these keys is abstracted behind an extensible store interface. -The [ISigningKeyStore](/identityserver/reference/stores/signing-key-store.md) is that storage interface. +The [ISigningKeyStore](/identityserver/reference/v8/stores/signing-key-store.md) is that storage interface. ### Registering a custom signing key store @@ -88,12 +88,12 @@ builder.Services.AddIdentityServer() ### Key Lifecycle When keys are required, `LoadKeysAsync` will be called to load them all from the store. -They are then cached automatically for some amount of time based on [configuration](/identityserver/reference/options.md#key-management). +They are then cached automatically for some amount of time based on [configuration](/identityserver/reference/v8/options.md#key-management). Periodically a new key will be created, and `StoreKeyAsync` will be used to persist the new key. Once a key is past its retirement, `DeleteKeyAsync` will be used to purge the key from the store. ### Serialized Key -The [SerializedKey](/identityserver/reference/stores/signing-key-store.md#serializedkey) is the model that contains the key data to persist. +The [SerializedKey](/identityserver/reference/v8/stores/signing-key-store.md#serializedkey) is the model that contains the key data to persist. It is expected that the `Id` is the unique identifier for the key in the store. The `Data` property is the main payload of the key and contains a copy of all the other values. Some of the properties affect how the `Data` is processed (e.g. `DataProtected`), and the other properties are considered read-only and thus can't be changed to affect the behavior (e.g. changing the `Created` value will not affect the key lifetime, nor will changing `Algorithm` change which signing algorithm the key is used for). @@ -107,10 +107,10 @@ The [server-side sessions](/identityserver/ui/server-side-sessions/index.md) fea ### Server-Side Session Store -The [IServerSideSessionStore](/identityserver/reference/stores/server-side-sessions.md) abstracts storing the server-side session data. -[ServerSideSession](/identityserver/reference/stores/server-side-sessions.md#serversidesession) objects act as the storage entity, and provide several properties used as metadata for the session. The `Ticket` property contains the actual serialized data used by the ASP.NET Cookie Authentication handler. By default, this serialized data is stored in an encrypted state using ASP.NET Core Data Protection. +The [IServerSideSessionStore](/identityserver/reference/v8/stores/server-side-sessions.md) abstracts storing the server-side session data. +[ServerSideSession](/identityserver/reference/v8/stores/server-side-sessions.md#serversidesession) objects act as the storage entity, and provide several properties used as metadata for the session. The `Ticket` property contains the actual serialized data used by the ASP.NET Cookie Authentication handler. By default, this serialized data is stored in an encrypted state using ASP.NET Core Data Protection. -The methods on the [IServerSideSessionStore](/identityserver/reference/stores/server-side-sessions.md) are used to orchestrate the various management functions needed by the [server-side sessions](/identityserver/ui/server-side-sessions/index.md#session-management) feature. +The methods on the [IServerSideSessionStore](/identityserver/reference/v8/stores/server-side-sessions.md) are used to orchestrate the various management functions needed by the [server-side sessions](/identityserver/ui/server-side-sessions/index.md#session-management) feature. ### Registering a custom store diff --git a/astro/src/content/docs/identityserver/deployment/index.md b/astro/src/content/docs/identityserver/deployment/index.md index 9b5260913..0308eafa1 100644 --- a/astro/src/content/docs/identityserver/deployment/index.md +++ b/astro/src/content/docs/identityserver/deployment/index.md @@ -118,7 +118,7 @@ round-tripped through the browser from being tampered with. Separately, IdentityServer needs cryptographic keys, called [signing keys](/identityserver/fundamentals/key-management.md), to sign tokens such as JWT access tokens and id tokens. The signing keys use public key cryptography to allow client applications and APIs to validate token signatures using the public keys, which are published by IdentityServer -through [discovery](/identityserver/reference/endpoints/discovery.md). The private key component of the signing keys are +through [discovery](/identityserver/reference/v8/endpoints/discovery.md). The private key component of the signing keys are also critical secrets for IdentityServer because a valid signature provides integrity and non-repudiation guarantees that allow client applications and APIs to trust those tokens. @@ -165,7 +165,7 @@ Some optional features rely on ASP.NET Core distributed caching: * [State data formatter for OpenID Connect](/identityserver/ui/login/external.md#state-url-length-and-isecuredataformat) * Replay cache (e.g. for [JWT client credentials](/identityserver/tokens/client-authentication.md#setting-up-a-private-key-jwt-secret)) -* [Device flow](/identityserver/reference/stores/device-flow-store.md) throttling service +* [Device flow](/identityserver/reference/v8/stores/device-flow-store.md) throttling service * Authorization parameter store In order to work in a multi-server environment, this needs to be set up correctly. Please consult the Microsoft [documentation](https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed) for more details. diff --git a/astro/src/content/docs/identityserver/diagnostics/data.mdx b/astro/src/content/docs/identityserver/diagnostics/data.mdx index bc860e6e4..522f6e321 100644 --- a/astro/src/content/docs/identityserver/diagnostics/data.mdx +++ b/astro/src/content/docs/identityserver/diagnostics/data.mdx @@ -16,7 +16,7 @@ import { Tabs, TabItem } from "@astrojs/starlight/components"; To make troubleshooting easier, newer versions of IdentityServer can collect important configuration and operational diagnostics data from your IdentityServer host. -Diagnostics data is [written to logs periodically](/identityserver/reference/options.md#diagnostics), and can be used by +Diagnostics data is [written to logs periodically](/identityserver/reference/v8/options.md#diagnostics), and can be used by your operations team to help analyze your IdentityServer configuration. Diagnostics information is never automatically shared with Duende. In support scenarios, you can choose to manually share @@ -37,12 +37,12 @@ The diagnostics data contains the following information: * Name of the scheme and authentication handler type * Registered non-default implementations of Duende IdentityServer extension points * Extension point type, implementation type, assembly name and version -* [`IdentityServerOptions`](/identityserver/reference/options.md) configuration +* [`IdentityServerOptions`](/identityserver/reference/v8/options.md) configuration * [Data Protection](/identityserver/deployment/index.md#aspnet-core-data-protection) configuration * `ApplicationDiscriminator`, `XmlEncryptor` and `XmlRepository` * Basic server information * Host name -* [License Usage Summary](/identityserver/reference/models/license-usage-summary.md) data +* [License Usage Summary](/identityserver/reference/v8/models/license-usage-summary.md) data * Token issue counts (for various token types) * Endpoint usage (only for IdentityServer endpoints) * Clients configuration (limited to first 100 clients, excluding sensitive information/secrets) @@ -55,7 +55,7 @@ Diagnostics data [is formatted as JSON](#diagnostics-data-format). ## Capturing Diagnostics Data -The IdentityServer diagnostics data is [written to logs periodically](/identityserver/reference/options.md#diagnostics). +The IdentityServer diagnostics data is [written to logs periodically](/identityserver/reference/v8/options.md#diagnostics). By default, you will see log entries similar to the following in your IdentityServer logs ```log @@ -65,7 +65,7 @@ info: Duende.IdentityServer.Diagnostics.Summary[7000] Diagnostic data (2 of 2): ... } ``` -Diagnostics data [may be chunked](/identityserver/reference/options.md#diagnostics), and you will need to concatenate chunks +Diagnostics data [may be chunked](/identityserver/reference/v8/options.md#diagnostics), and you will need to concatenate chunks to collect the full diagnostics JSON data. To capture diagnostics data from your IdentityServer instance, you can log entries written to the diff --git a/astro/src/content/docs/identityserver/fundamentals/claims.md b/astro/src/content/docs/identityserver/fundamentals/claims.md index 9bed5c182..2d5ba8f6f 100644 --- a/astro/src/content/docs/identityserver/fundamentals/claims.md +++ b/astro/src/content/docs/identityserver/fundamentals/claims.md @@ -16,12 +16,12 @@ emit, in which situations you want to emit those claims, and where to retrieve t ## User Claims User claims can be emitted in both identity and access tokens and in -the [userinfo endpoint](/identityserver/reference/endpoints/userinfo.md). The central extensibility point to implement -to emit claims is called the [profile service](/identityserver/reference/services/profile-service.md). The profile +the [userinfo endpoint](/identityserver/reference/v8/endpoints/userinfo.md). The central extensibility point to implement +to emit claims is called the [profile service](/identityserver/reference/v8/services/profile-service.md). The profile service is responsible for both gathering claim data and deciding which claims should be emitted. Whenever IdentityServer needs the claims for a user, it invokes the registered profile service with -a [context](/identityserver/reference/services/profile-service.md#duendeidentityservermodelsprofiledatarequestcontext) +a [context](/identityserver/reference/v8/services/profile-service.md#duendeidentityservermodelsprofiledatarequestcontext) that presents detailed information about the current request, including * the client that is making the request @@ -114,7 +114,7 @@ contains the principal that was issued during user sign-in. Typically, the profi the `Subject` and others from databases or other data sources. When the profile service is called for requests to -the [userinfo endpoint](/identityserver/reference/endpoints/userinfo.md), the `Subject` property will not contain the +the [userinfo endpoint](/identityserver/reference/v8/endpoints/userinfo.md), the `Subject` property will not contain the principal issued during user sign-in, since userinfo calls don't happen as part of a session. Instead, the `Subject` property will contain a claims principal populated with the claims in the access token used to authorize the userinfo call. You can check the caller of the profile service by querying the `Caller` property on the context. @@ -141,7 +141,7 @@ var client = new Client To avoid accidental collision with user claims, client claims are prefixed with `client_`. For example, the above `ClientClaim` would be emitted as the `client_customer_id` claim type in access tokens. You can change or remove this -prefix by setting the `ClientClaimsPrefix` on the [client definition](/identityserver/reference/models/client.md#token). +prefix by setting the `ClientClaimsPrefix` on the [client definition](/identityserver/reference/v8/models/client.md#token). :::note By default, client claims are only sent in the client credentials flow. If you want to enable them for other flows, you diff --git a/astro/src/content/docs/identityserver/fundamentals/hosting.md b/astro/src/content/docs/identityserver/fundamentals/hosting.md index 8195ff31b..f5e1fd6d4 100644 --- a/astro/src/content/docs/identityserver/fundamentals/hosting.md +++ b/astro/src/content/docs/identityserver/fundamentals/hosting.md @@ -30,10 +30,10 @@ var idsvrBuilder = builder.Services.AddIdentityServer(options => ``` Many of the fundamental configuration settings can be set on the options. See the -[`IdentityServerOptions`](/identityserver/reference/options.md) reference for more details. +[`IdentityServerOptions`](/identityserver/reference/v8/options.md) reference for more details. The builder object has a number of extension methods to add additional services to the ASP.NET Core service provider. -You can see the full list in the [reference](/identityserver/reference/di.md) section, but very commonly you start by +You can see the full list in the [reference](/identityserver/reference/v8/di.md) section, but very commonly you start by adding the configuration stores for clients and resources, e.g.: ```csharp diff --git a/astro/src/content/docs/identityserver/fundamentals/key-management.md b/astro/src/content/docs/identityserver/fundamentals/key-management.md index 3c30ee391..c9a7248de 100644 --- a/astro/src/content/docs/identityserver/fundamentals/key-management.md +++ b/astro/src/content/docs/identityserver/fundamentals/key-management.md @@ -46,7 +46,7 @@ This feature is part of the [Duende IdentityServer Business and Enterprise Editi ### Configuration Automatic Key Management is configured by the options in the `KeyManagement` -property on the [`IdentityServerOptions`](/identityserver/reference/options.md#key-management). +property on the [`IdentityServerOptions`](/identityserver/reference/v8/options.md#key-management). ### Managed Key Lifecycle @@ -209,7 +209,7 @@ loading and rotation of keys. The automatic key management feature can be disabled by setting the `Enabled` flag to `false` on the `KeyManagement` property of -[`IdentityServerOptions`](/identityserver/reference/options.md#key-management): +[`IdentityServerOptions`](/identityserver/reference/v8/options.md#key-management): ```csharp // Program.cs @@ -268,7 +268,7 @@ Console.WriteLine($"Certificate saved to {name}.pfx"); ## Adding Keys -Signing keys are added with the [`AddSigningCredential`](/identityserver/reference/di.md#signing-keys) configuration +Signing keys are added with the [`AddSigningCredential`](/identityserver/reference/v8/di.md#signing-keys) configuration method: ```csharp diff --git a/astro/src/content/docs/identityserver/fundamentals/resources/api-resources.md b/astro/src/content/docs/identityserver/fundamentals/resources/api-resources.md index f2fb50373..0f16fd46a 100644 --- a/astro/src/content/docs/identityserver/fundamentals/resources/api-resources.md +++ b/astro/src/content/docs/identityserver/fundamentals/resources/api-resources.md @@ -128,7 +128,7 @@ var customerResource = new ApiResource("customer", "Customer API") } ``` -If a client now requested a scope belonging to the `customer` resource, the access token would contain the additional claims (if provided by your [profile service](/identityserver/reference/services/profile-service.md)). +If a client now requested a scope belonging to the `customer` resource, the access token would contain the additional claims (if provided by your [profile service](/identityserver/reference/v8/services/profile-service.md)). ```json { diff --git a/astro/src/content/docs/identityserver/fundamentals/resources/identity.md b/astro/src/content/docs/identityserver/fundamentals/resources/identity.md index 49acc298c..b12d6f587 100644 --- a/astro/src/content/docs/identityserver/fundamentals/resources/identity.md +++ b/astro/src/content/docs/identityserver/fundamentals/resources/identity.md @@ -44,7 +44,7 @@ public static IEnumerable GetIdentityResources() } ``` :::note -See the [reference](/identityserver/reference/models/identity-resource.md) section for more information on `IdentityResource`. +See the [reference](/identityserver/reference/v8/models/identity-resource.md) section for more information on `IdentityResource`. ::: The following example shows a custom identity resource called `profile` that represents the display name, email address and website claim: @@ -74,7 +74,7 @@ var client = new Client ``` :::note -See the [reference](/identityserver/reference/models/client.md) section for more information on the `Client` class. +See the [reference](/identityserver/reference/v8/models/client.md) section for more information on the `Client` class. ::: The client can then request the resource using the scope parameter (other parameters omitted): @@ -82,4 +82,4 @@ The client can then request the resource using the scope parameter (other parame https://demo.duendesoftware.com/connect/authorize?client_id=client&scope=openid profile IdentityServer will then use the scope names to create a list of requested claim types, -and present that to your implementation of the [profile service](/identityserver/reference/services/profile-service.md). \ No newline at end of file +and present that to your implementation of the [profile service](/identityserver/reference/v8/services/profile-service.md). \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/fundamentals/users.md b/astro/src/content/docs/identityserver/fundamentals/users.md index dfc77106b..1e011d8ab 100644 --- a/astro/src/content/docs/identityserver/fundamentals/users.md +++ b/astro/src/content/docs/identityserver/fundamentals/users.md @@ -32,7 +32,7 @@ This is obvious if the client application is a web application, but it's also th mobile applications. When a user must log in, the client application will redirect the user to the protocol endpoint called -the [authorization endpoint](/identityserver/reference/endpoints/authorize.md) in your IdentityServer server to request +the [authorization endpoint](/identityserver/reference/v8/endpoints/authorize.md) in your IdentityServer server to request authentication. As part of the authorize request, your IdentityServer will typically display a login page for the user to enter their credentials. diff --git a/astro/src/content/docs/identityserver/quickstarts/1-client-credentials.md b/astro/src/content/docs/identityserver/quickstarts/1-client-credentials.md index 7f90d9841..65367a87e 100644 --- a/astro/src/content/docs/identityserver/quickstarts/1-client-credentials.md +++ b/astro/src/content/docs/identityserver/quickstarts/1-client-credentials.md @@ -231,7 +231,7 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde That's it - your IdentityServer is now configured. If you run the project and then navigate to `https://localhost:5001/.well-known/openid-configuration` in -your browser, you should see the [discovery document](/identityserver/reference/endpoints/discovery.md). +your browser, you should see the [discovery document](/identityserver/reference/v8/endpoints/discovery.md). The discovery document is a standard endpoint in [OpenID Connect](https://openid.net/specs/openid-connect-discovery-1_0.html) and [OAuth](https://datatracker.ietf.org/doc/html/rfc8414). It is diff --git a/astro/src/content/docs/identityserver/quickstarts/5-aspnetid.md b/astro/src/content/docs/identityserver/quickstarts/5-aspnetid.md index 8cf366efb..218af07e1 100644 --- a/astro/src/content/docs/identityserver/quickstarts/5-aspnetid.md +++ b/astro/src/content/docs/identityserver/quickstarts/5-aspnetid.md @@ -296,7 +296,7 @@ IdentityServer contains an extensibility point called the `IProfileService` that is responsible for retrieval of user claims. The ASP.NET Identity Integration includes an implementation of `IProfileService` that retrieves claims from ASP.NET Identity. You can extend that implementation to use the custom profile -data as a source of claims data. [See here](/identityserver/reference/services/profile-service.md) for more details on +data as a source of claims data. [See here](/identityserver/reference/v8/services/profile-service.md) for more details on the profile service. Create a new file called `src/IdentityServerAspNetIdentity/CustomProfileService.cs` and add the diff --git a/astro/src/content/docs/identityserver/reference/dcr/response.md b/astro/src/content/docs/identityserver/reference/dcr/response.md deleted file mode 100644 index 8271df091..000000000 --- a/astro/src/content/docs/identityserver/reference/dcr/response.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: "Response Generation" -description: "Reference documentation for dynamic client registration response generation, including interfaces and implementations for handling HTTP responses in the registration process." -sidebar: - order: 40 -redirect_from: - - /identityserver/v5/configuration/dcr/reference/response/ - - /identityserver/v6/configuration/dcr/reference/response/ - - /identityserver/v7/configuration/dcr/reference/response/ ---- - -## IDynamicClientRegistrationResponseGenerator -The `IDynamicClientRegistrationResponseGenerator` interface defines the contract -for a service that generates dynamic client registration responses. - -```csharp -public interface IDynamicClientRegistrationResponseGenerator -``` - -### Members - -| name | description | -|--------------------------|--------------------------------------------------------------------------| -| WriteBadRequestError(…) | Writes a bad request error to the HTTP context. | -| WriteContentTypeError(…) | Writes a content type error to the HTTP response. | -| WriteProcessingError(…) | Writes a processing error to the HTTP context. | -| WriteResponse(…) | Writes a response object to the HTTP context with the given status code. | -| WriteSuccessResponse(…) | Writes a success response to the HTTP context. | -| WriteValidationError(…) | Writes a validation error to the HTTP context. | - - -## DynamicClientRegistrationResponseGenerator - -The `DynamicClientRegistrationResponseGenerator` is the default implementation of the `IDynamicClientRegistrationResponseGenerator`. If you wish to customize a particular aspect of response generation, you can extend this class and override the appropriate methods. You can also set JSON serialization options by overriding its `SerializerOptions` property. - -### Members - -| name | description | -|---------------------------------|-----------------------------------------------------| -| SerializerOptions { get; set; } | The options used for serializing json in responses. | diff --git a/astro/src/content/docs/identityserver/reference/v7/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/_meta.yml new file mode 100644 index 000000000..a316dc13f --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/_meta.yml @@ -0,0 +1,2 @@ +label: "v7.0" +order: 2 diff --git a/astro/src/content/docs/identityserver/reference/dcr/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/dcr/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/dcr/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/dcr/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/v7/dcr/models.md b/astro/src/content/docs/identityserver/reference/v7/dcr/models.md new file mode 100644 index 000000000..0e4149fbe --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/dcr/models.md @@ -0,0 +1,173 @@ +--- +title: "Models" +description: "Reference documentation for the models and interfaces used in Dynamic Client Registration (DCR), including request/response objects and validation context." +sidebar: + order: 50 +redirect_from: + - /identityserver/v7/configuration/dcr/reference/models/ +--- + +## DynamicClientRegistrationRequest + +Represents a dynamic client registration request. The parameters that are supported include a subset of the +parameters [defined by IANA](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata), +and custom properties needed by IdentityServer. + +```csharp +public class DynamicClientRegistrationRequest +``` + +#### Public Members + +| name | description | +|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `AbsoluteRefreshTokenLifetime { get; set; }` | The absolute lifetime of refresh tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `AccessTokenLifetime { get; set; }` | The lifetime of access tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `AccessTokenType { get; set; }` | The type of access tokens that this client will create. Either "Jwt" or "Reference". This property is an extension to the Dynamic Client Registration Protocol. | +| `AllowedCorsOrigins { get; set; }` | List of allowed CORS origins for JavaScript clients. This property is an extension to the Dynamic Client Registration Protocol. | +| `AllowedIdentityTokenSigningAlgorithms { get; set; }` | List of signing algorithms to use when signing identity tokens. If not set, will use the server default signing algorithm. This property is an extension to the Dynamic Client Registration Protocol. | +| `AllowRememberConsent { get; set; }` | Boolean value specifying whether a user's consent can be remembered in flows initiated by this client. This property is an extension to the Dynamic Client Registration Protocol. | +| `AuthorizationCodeLifetime { get; set; }` | The lifetime of authorization codes, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `BackChannelLogoutSessionRequired { get; set; }` | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. | +| `BackChannelLogoutUri { get; set; }` | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. | +| `ClientName { get; set; }` | Human-readable string name of the client to be presented to the end-user during authorization. | +| `ClientUri { get; set; }` | Web page providing information about the client. | +| `ConsentLifetime { get; set; }` | The lifetime of consent, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `CoordinateLifetimeWithUserSession { get; set; }` | When enabled, the client's token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime. This means when the user logs out, any revokable tokens will be removed. If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be triggered. This client's setting overrides the global CoordinateClientLifetimesWithUserSession configuration setting. This property is an extension to the Dynamic Client Registration Protocol. | +| `DefaultMaxAge { get; set; }` | Default maximum authentication age. This is stored as the UserSsoLifetime property of the IdentityServer client model. | +| `EnableLocalLogin { get; set; }` | Boolean value specifying if local logins are enabled when this client uses interactive flows. This property is an extension to the Dynamic Client Registration Protocol. | +| `Extensions { get; set; }` | Custom client metadata fields to include in the serialization. | +| `FrontChannelLogoutSessionRequired { get; set; }` | Boolean value specifying whether the RP requires that a sid (session ID) query parameter be included to identify the RP session with the OP when the frontchannel_logout_uri is used. | +| `FrontChannelLogoutUri { get; set; }` | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. | +| `GrantTypes { get; set; }` | List of OAuth 2.0 grant type strings that the client can use at the token endpoint. Valid values are "authorization_code", "client_credentials", "refresh_token". | +| `IdentityProviderRestrictions { get; set; }` | List of external IdPs that can be used with this client. If list is empty all IdPs are allowed. Defaults to empty. This property is an extension to the Dynamic Client Registration Protocol. | +| `IdentityTokenLifetime { get; set; }` | The lifetime of identity tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `InitiateLoginUri { get; set; }` | URI using the https scheme that a third party can use to initiate a login by the relying party. | +| `Jwks { get; set; }` | JWK Set document which contains the client's public keys. The `JwksUri` and `Jwks` parameters MUST NOT both be present in the same request or response. | +| `JwksUri { get; set; }` | URL to a JWK Set document which contains the client's public keys. The `JwksUri` and `Jwks` parameters MUST NOT both be present in the same request or response. The default validator must be extended to make use of the `JwksUri`. The default implementation ignores this property. | +| `LogoUri { get; set; }` | Logo for the client. If present, the server should display this image to the end-user during approval. | +| `PostLogoutRedirectUris { get; set; }` | List of post-logout redirection URIs for use in the end session endpoint. | +| `RedirectUris { get; set; }` | List of redirection URI strings for use in redirect-based flows such as the authorization code flow. Clients using flows with redirection must register their redirection URI values. | +| `RefreshTokenExpiration { get; set; }` | The type of expiration for refresh tokens. Either "sliding" or "absolute". This property is an extension to the Dynamic Client Registration Protocol. | +| `RefreshTokenUsage { get; set; }` | The usage type for refresh tokens. Either "OneTimeOnly" or "ReUse". This property is an extension to the Dynamic Client Registration Protocol. | +| `RequireClientSecret { get; set; }` | Boolean value specifying if a client secret is needed to request tokens at the token endpoint. This property is an extension to the Dynamic Client Registration Protocol. | +| `RequireConsent { get; set; }` | Boolean value specifying whether consent is required in user-centric flows initiated by this client. This property is an extension to the Dynamic Client Registration Protocol. | +| `RequireSignedRequestObject { get; set; }` | Boolean value specifying whether authorization requests must be protected as signed request objects and provided through either the request or request_uri parameters. | +| `Scope { get; set; }` | String containing a space-separated list of scope values that the client can use when requesting access tokens. If omitted, the configuration API will register a client with the scopes set by the `DynamicClientRegistrationValidator.SetDefaultScopes` method, which defaults to no scopes. | +| `SlidingRefreshTokenLifetime { get; set; }` | The sliding lifetime of refresh tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `SoftwareId { get; set; }` | A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Unlike "client_id", which is issued by the authorization server and SHOULD vary between instances, the "software_id" SHOULD remain the same for all instances of the client software. The "software_id" SHOULD remain the same across multiple updates or versions of the same piece of software. The value of this field is not intended to be human-readable and is usually opaque to the client and authorization server. The default validator must be extended to make use of the `SoftwareId`. The default implementation ignores this property. | +| `SoftwareStatement { get; set; }` | A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. The default validator must be extended to make use of the software statement. The default implementation ignores this property. | +| `SoftwareVersion { get; set; }` | A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id". The value of this field is intended to be compared using string equality matching and no other comparison semantics are defined by this specification. The default validator must be extended to make use of the `SoftwareVersion`. The default implementation ignores this property. | +| `TokenEndpointAuthenticationMethod { get; set; }` | Requested Client Authentication method for the Token Endpoint. The supported options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt. | +| `UpdateAccessTokenClaimsOnRefresh { get; set; }` | Boolean value specifying whether access token claims are updated during token refresh. This property is an extension to the Dynamic Client Registration Protocol. | + +## DynamicClientRegistrationResponse + +Represents the response to a successful dynamic client registration request. This class extends the registration request +by adding additional properties that are generated server side and not set by the client. + +```csharp +public class DynamicClientRegistrationResponse : DynamicClientRegistrationRequest, IDynamicClientRegistrationResponse +``` + +#### Public Members + +| name | description | +|---------------------------------------|----------------------------------------------------------------------------------------------------| +| `ClientId { get; set; }` | Gets or sets the client ID. | +| `ClientSecret { get; set; }` | Gets or sets the client secret. | +| `ClientSecretExpiresAt { get; set; }` | Gets or sets the expiration time of the client secret. | +| `ResponseTypes { get; set; }` | List of the OAuth 2.0 response type strings that the client can use at the authorization endpoint. | + +## DynamicClientRegistrationContext + +Represents the context of a dynamic client registration request, including +the original DCR request, the client model that is built up through validation +and processing, the caller who made the DCR request, and other contextual +information. + +```csharp +public class DynamicClientRegistrationContext +``` + +#### Public Members + +| name | description | +|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `Caller { get; set; }` | The ClaimsPrincipal that made the DCR request. | +| `Client { get; set; }` | The client model that is built up through validation and processing. | +| `Items { get; set; }` | A collection where additional contextual information may be stored. This is intended as a place to pass additional custom state between validation steps. | +| `Request { get; set; }` | The original dynamic client registration request. | + +## DynamicClientRegistrationError + +Represents an error that occurred during validation of a dynamic client +registration request. This class implements the appropriate [marker interfaces](#marker-interfaces) so +that it can be returned from various points in the validator or processor. + +```csharp +public class DynamicClientRegistrationValidationError : IStepResult, IDynamicClientRegistrationResponse, IDynamicClientRegistrationValidationResult +``` + +#### Public Members + +| name | description | +|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `Error { get; set; }` | Gets or sets the error code for the error that occurred during validation. Error codes defined by RFC 7591 are defined as constants in the `DynamicClientRegistrationErrors` class. | +| `ErrorDescription { get; set; }` | Gets or sets a human-readable description of the error that occurred during validation. | + +## Marker Interfaces + +#### IDynamicClientRegistrationResponse + +Marker interface for the response to a dynamic client registration request. This +interface has two implementations; +[`DynamicClientRegistrationResponse`](#dynamicclientregistrationresponse) indicates +success, while [`DynamicClientRegistrationError`](#dynamicclientregistrationerror) indicates +failure. + +#### IDynamicClientRegistrationValidationResult + +Marker interface for the result of validating a dynamic client registration +request. This interface has two implementations; +[`DynamicClientRegistrationValidatedRequest`](#successfulstep) indicates +success, while +[`DynamicClientRegistrationError`](#dynamicclientregistrationerror) indicates +failure. Note that the `DynamicClientRegistrationError` implements multiple +interfaces and can be used throughout the pipeline to convey errors. + +#### IStepResult + +Marker interface for the result of a step in the dynamic client registration +validator or processor. This interface has two implementations; +[`SuccessfulStep`](#successfulstep) indicates success, while +[`DynamicClientRegistrationError`](#dynamicclientregistrationerror) indicates +failure. Note that the `DynamicClientRegistrationError` implements multiple +interfaces and can be used throughout the pipeline to convey errors. + +### IStepResult Convenience Functions + +Your validation or processing steps can return a call to convenience functions in the static class `StepResult` to +conveniently construct a success or failure from a step wrapped in a task. + +| name | description | +|---------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------| +| `static Task Success()` | Indicates that the validation step was completed was completed successfully | +| `static Task Failure(string errorDescription)` | Indicates that the validation step failed with the specified error description and the default error code of invalid_client_metadata | +| `static Task Failure(string errorDescription, string error)` | Indicates that the validation step failed with the specified error description and error code | + +## DynamicClientRegistrationValidatedRequest + +Represents a successfully validated dynamic client registration request. + +```csharp +public class DynamicClientRegistrationValidatedRequest : DynamicClientRegistrationValidationResult +``` + +## SuccessfulStep + +Represents a successful validation step. + +```csharp +public class SuccessfulStep : IStepResult +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/dcr/options.md b/astro/src/content/docs/identityserver/reference/v7/dcr/options.md new file mode 100644 index 000000000..9e658a7c4 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/dcr/options.md @@ -0,0 +1,40 @@ +--- +title: "Options" +description: "Reference documentation for the IdentityServer configuration options related to dynamic client registration and secret lifetimes." +sidebar: + order: 60 +redirect_from: + - /identityserver/v7/configuration/dcr/reference/options/ +--- + +The page describes the `IdentityServerConfigurationOptions` class, which provides top-level configuration options for +IdentityServer, including the `DynamicClientRegistrationOptions` class for managing dynamic client registration and +secret lifetimes. + +## IdentityServerConfigurationOptions + +Top-level options for IdentityServer configuration. + +```csharp +public class IdentityServerConfigurationOptions +``` + +### Public Members + +| name | description | +|--------------------------------------------------------------------------------|-----------------------------------------| +| [`DynamicClientRegistration { get; set; }`](#dynamicclientregistrationoptions) | Options for Dynamic Client Registration | + +## DynamicClientRegistrationOptions + +Options for dynamic client registration. + +```csharp +public class DynamicClientRegistrationOptions +``` + +### Public Members + +| name | description | +|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `SecretLifetime { get; set; }` | Gets or sets the lifetime of secrets generated for clients. If unset, generated secrets will have no expiration. Defaults to null (secrets never expire). | diff --git a/astro/src/content/docs/identityserver/reference/v7/dcr/processing.md b/astro/src/content/docs/identityserver/reference/v7/dcr/processing.md new file mode 100644 index 000000000..0011f4845 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/dcr/processing.md @@ -0,0 +1,67 @@ +--- +title: "Request Processing" +description: "Understand how dynamic client registration requests are processed, including client ID and secret generation, through the IDynamicClientRegistrationRequestProcessor contract and its default implementation." +sidebar: + order: 20 +redirect_from: + - /identityserver/v7/configuration/dcr/reference/processing/ +--- + +The page explains the `IDynamicClientRegistrationRequestProcessor` contract, its default implementation ( +`DynamicClientRegistrationRequestProcessor`), and the steps involved in processing a dynamic client registration +request, including methods for generating client IDs, secrets, and customizing secret generation. + +## IDynamicClientRegistrationRequestProcessor + +The `IDynamicClientRegistrationValidator` is the contract for the service that +processes a dynamic client registration request. It contains a single +`ProcessAsync(...)` method. + +Conceptually, the request processing step is responsible for setting properties +on the `Client` model that are generated by the Configuration API itself. In +contrast, the `IDynamicClientRegistrationRequestProcessor` is responsible for +checking the validity of the metadata supplied in the registration request, and +using that metadata to set properties of a `Client` model. The request processor +is also responsible for passing the finished `Client` to the [store](/identityserver/reference/v7/dcr/store.md) + +### Members + +| name | description | +|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ProcessAsync(…)` | Processes a valid dynamic client registration request, setting properties of the client that are not specified in the request, and storing the new client in the IClientConfigurationStore. | + +## DynamicClientRegistrationRequestProcessor + +The `DynamicClientRegistrationRequestProcessor` is the default implementation of the +`IDynamicClientRegistrationRequestProcessor`. If you need to customize some aspect +of Dynamic Client Registration request processing, we recommend that you extend this +class and override the appropriate virtual methods. + +```csharp +public class DynamicClientRegistrationRequestProcessor : IDynamicClientRegistrationRequestProcessor +``` + +## Request Processing Steps + +Each of these virtual methods represents one step of request processing. +Each step is passed a [DynamicClientRegistrationContext](/identityserver/reference/v7/dcr/models.md#dynamicclientregistrationcontext) and returns a task +that returns an [`IStepResult`](/identityserver/reference/v7/dcr/models.md#istepresult). The `DynamicClientRegistrationContext` includes the client model +that will +have its properties set, the DCR request, and other contextual information. The +`IStepResult` either represents that the step succeeded or failed. + +| name | description | +|---------------------------|---------------------------------------------------------------------------| +| `virtual AddClientId` | Generates a client ID and adds it to the validatedRequest's client model. | +| `virtual AddClientSecret` | Adds a client secret to a dynamic client registration request. | + +## Secret Generation + +The `AddClientSecret` method is responsible for adding the client's secret and +plaintext of that secret to the context's `Items` dictionary for later use. If you want to customize secret generation, +you can override the GenerateSecret method, which only needs to return a tuple containing the secret and +its plaintext. + +| name | description | +|--------------------------|---------------------------------------------------------------| +| `virtual GenerateSecret` | Generates a secret for a dynamic client registration request. | \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v7/dcr/response.md b/astro/src/content/docs/identityserver/reference/v7/dcr/response.md new file mode 100644 index 000000000..df09ab419 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/dcr/response.md @@ -0,0 +1,38 @@ +--- +title: "Response Generation" +description: "Reference documentation for dynamic client registration response generation, including interfaces and implementations for handling HTTP responses in the registration process." +sidebar: + order: 40 +redirect_from: + - /identityserver/v7/configuration/dcr/reference/response/ +--- + +## IDynamicClientRegistrationResponseGenerator +The `IDynamicClientRegistrationResponseGenerator` interface defines the contract +for a service that generates dynamic client registration responses. + +```csharp +public interface IDynamicClientRegistrationResponseGenerator +``` + +### Members + +| name | description | +|----------------------------|--------------------------------------------------------------------------| +| `WriteBadRequestError(…)` | Writes a bad request error to the HTTP context. | +| `WriteContentTypeError(…)` | Writes a content type error to the HTTP response. | +| `WriteProcessingError(…)` | Writes a processing error to the HTTP context. | +| `WriteResponse(…)` | Writes a response object to the HTTP context with the given status code. | +| `WriteSuccessResponse(…)` | Writes a success response to the HTTP context. | +| `WriteValidationError(…)` | Writes a validation error to the HTTP context. | + + +## DynamicClientRegistrationResponseGenerator + +The `DynamicClientRegistrationResponseGenerator` is the default implementation of the `IDynamicClientRegistrationResponseGenerator`. If you wish to customize a particular aspect of response generation, you can extend this class and override the appropriate methods. You can also set JSON serialization options by overriding its `SerializerOptions` property. + +### Members + +| name | description | +|-----------------------------------|-----------------------------------------------------| +| `SerializerOptions { get; set; }` | The options used for serializing json in responses. | diff --git a/astro/src/content/docs/identityserver/reference/v7/dcr/store.md b/astro/src/content/docs/identityserver/reference/v7/dcr/store.md new file mode 100644 index 000000000..29408a852 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/dcr/store.md @@ -0,0 +1,28 @@ +--- +title: "Store" +description: "Reference documentation for the Dynamic Client Registration (DCR) store interfaces and implementations used to manage client configurations in IdentityServer" +sidebar: + order: 30 +redirect_from: + - /identityserver/v7/configuration/dcr/reference/store/ +--- + +## IClientConfigurationStore + +The `IClientConfigurationStore` interface defines the contract for a service +that communicates with the client configuration data store. It contains a +single `AddAsync` method. + +```csharp +public interface IClientConfigurationStore +``` + +### Members + +| name | description | +|---------------|-------------------------------------------| +| `AddAsync(…)` | Adds a client to the configuration store. | + +## ClientConfigurationStore + +The `ClientConfigurationStore` is the default implementation of the `IClientConfigurationStore`. It uses Entity Framework to communicate with the client configuration store, and is intended to be used when IdentityServer is configured to use the Entity Framework based configuration stores. \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v7/dcr/validation.md b/astro/src/content/docs/identityserver/reference/v7/dcr/validation.md new file mode 100644 index 000000000..a0fe3a703 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/dcr/validation.md @@ -0,0 +1,81 @@ +--- +title: "Validation" +description: "Reference documentation for Dynamic Client Registration (DCR) validation process, including validation steps, interfaces, and client property configuration." +sidebar: + order: 10 +redirect_from: + - /identityserver/v7/configuration/dcr/reference/validation/ + - /identityserver/v7/configuration/dcr/reference/ +--- + +## IDynamicClientRegistrationValidator + +The `IDynamicClientRegistrationValidator` is the contract for the service that +validates a dynamic client registration request. It contains a single +`ValidateAsync(...)` method. + +Conceptually, the validation step is responsible for checking the validity of +the metadata supplied in the registration request, and using that metadata to +set properties of a `Client` model. In contrast, the +`IDynamicClientRegistrationRequestProcessor` is responsible for setting +properties on the `Client` model that are generated by the Configuration API +itself. + +### IDynamicClientRegistrationValidator.ValidateAsync + +Validates a dynamic client registration request. + +```csharp +public Task ValidateAsync( + DynamicClientRegistrationContext context) +``` + +| parameter | description | +|-----------|-----------------------------------------------| +| `context` | Contextual information about the DCR request. | + +### Return Value + +A task that returns an [ +`IDynamicClientRegistrationValidationResult`](/identityserver/reference/v7/dcr/models.md#idynamicclientregistrationvalidationresult), indicating success or +failure. + +## DynamicClientRegistrationValidator + +```csharp +public class DynamicClientRegistrationValidator : IDynamicClientRegistrationValidator +``` + +The `DynamicClientRegistrationValidator` class is the default implementation of +the `IDynamicClientRegistrationValidator`. If you need to customize some aspect +of Dynamic Client Registration validation, we recommend that you extend this +class and override the appropriate methods. + +## Validation Steps + +Each of these methods represents one step in the validation process. +Each step is passed a [`DynamicClientRegistrationContext`](/identityserver/reference/v7/dcr/models.md#dynamicclientregistrationcontext) and returns a task +that returns an [`IStepResult`](/identityserver/reference/v7/dcr/models.md#istepresult). The `DynamicClientRegistrationContext` includes the client model +that will +have its properties set, the DCR request, and other contextual information. The +`IStepResult` either represents that the step succeeded or failed. + +The steps are invoked in the same order as they appear in this table. + +| name | description | +|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ValidateSoftwareStatementAsync(…)` | Validates the software statement of the request. The default implementation does nothing, and is included as an extension point. | +| `SetGrantTypesAsync(…)` | Validates requested grant types and uses them to set the allowed grant types of the client. | +| `SetRedirectUrisAsync(…)` | Validates requested redirect uris and uses them to set the redirect uris of the client. | +| `SetScopesAsync(…)` | Validates requested scopes and uses them to set the scopes of the client. | +| `SetDefaultScopes(…)` | Sets scopes on the client when no scopes are requested. The default implementation sets no scopes and is intended as an extension point. | +| `SetSecretsAsync(…)` | Validates the requested jwks to set the secrets of the client. | +| `SetClientNameAsync(…)` | Validates the requested client name uses it to set the name of the client. | +| `SetLogoutParametersAsync(…)` | Validates the requested client parameters related to logout and uses them to set the corresponding properties in the client. Those parameters include the post logout redirect uris, front channel and back channel uris, and flags for the front and back channel uris indicating if they require session ids. | +| `SetMaxAgeAsync(…)` | Validates the requested default max age and uses it to set the user sso lifetime of the client. | +| `SetUserInterfaceProperties(…)` | Validates details of the request that control the user interface, including the logo uri, client uri, initiate login uri, enable local login flag, and identity provider restrictions, and uses them to set the corresponding client properties. | +| `SetPublicClientProperties(…)` | Validates the requested client parameters related to public clients and uses them to set the corresponding properties in the client. Those parameters include the require client secret flag and the allowed cors origins. | +| `SetAccessTokenProperties(…)` | Validates the requested client parameters related to access tokens and uses them to set the corresponding properties in the client. Those parameters include the allowed access token type and access token lifetime. | +| `SetIdTokenProperties(…)` | Validates the requested client parameters related to id tokens and uses them to set the corresponding properties in the client. Those parameters include the id token lifetime and the allowed id token signing algorithms. | +| `SetServerSideSessionProperties(…)` | Validates the requested client parameters related to server side sessions and uses them to set the corresponding properties in the client. Those parameters include the coordinate lifetime with user session flag. | + diff --git a/astro/src/content/docs/identityserver/reference/v7/di.md b/astro/src/content/docs/identityserver/reference/v7/di.md new file mode 100644 index 000000000..eaebe9abf --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/di.md @@ -0,0 +1,223 @@ +--- +title: "Dependency Injection Extension Methods" +description: "A comprehensive guide to IdentityServer's dependency injection extension methods for configuring services, stores, caching, signing keys and other features." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Dependency Injection + order: 20 +redirect_from: + - /identityserver/v7/reference/di/ +--- + +`AddIdentityServer` return a builder object that provides many extension methods to add IdentityServer specific services +to the ASP.NET Core service provider. Here's a list grouped by feature areas. + +```csharp +// Program.cs +var idsvrBuilder = builder.Services.AddIdentityServer(); +``` + +:::note +Many of the fundamental configuration settings can be set on the options. See the +`[IdentityServerOptions](/identityserver/reference/v7/options)` reference for more details. +::: + +## Configuration Stores + +Several convenience methods are provided for registering custom stores: + +- **`AddClientStore`** + + Registers a custom `IClientStore` implementation. + +- **`AddCorsPolicyService`** + + Registers a custom `ICorsPolicyService` implementation. + +- **`AddResourceStore`** + + Registers a custom `IResourceStore` implementation. + +- **`AddIdentityProviderStore`** + + Registers a custom `IIdentityProviderStore` implementation. + +The [in-memory configuration stores](/identityserver/data/configuration.md#in-memory-stores) can be registered in DI +with the following extension methods. + +- **`AddInMemoryClients`** + + Registers `IClientStore` and `ICorsPolicyService` implementations based on the in-memory collection of `Client` + configuration objects. + +- **`AddInMemoryIdentityResources`** + + Registers `IResourceStore` implementation based on the in-memory collection of `IdentityResource` configuration + objects. + +- **`AddInMemoryApiScopes`** + + Registers `IResourceStore` implementation based on the in-memory collection of `ApiScope` configuration objects. + +- **`AddInMemoryApiResources`** + + Registers `IResourceStore` implementation based on the in-memory collection of `ApiResource` configuration objects. + +## Caching Configuration Data + +Extension methods to +enable [caching for configuration data](/identityserver/data/configuration.md#caching-configuration-data): + +- **`AddInMemoryCaching`** + + To use any of the caches described below, an implementation of `ICache` must be registered in the ASP.NET Core service provider. + This API registers a default in-memory implementation of `ICache` that's based on ASP.NET Core's `MemoryCache`. + +- **`AddClientStoreCache`** + Registers a `IClientStore` decorator implementation which will maintain an in-memory cache of `Client` configuration + objects. + The cache duration is configurable on the `Caching` configuration options on the `IdentityServerOptions`. + +- **`AddResourceStoreCache`** + + Registers a `IResourceStore` decorator implementation which will maintain an in-memory cache of `IdentityResource` and + `ApiResource` configuration objects. + The cache duration is configurable on the `Caching` configuration options on the `IdentityServerOptions`. + +- **`AddCorsPolicyCache`** + + Registers a `ICorsPolicyService` decorator implementation which will maintain an in-memory cache of the results of the + CORS policy service evaluation. + The cache duration is configurable on the `Caching` configuration options on the `IdentityServerOptions`. + +- **`AddIdentityProviderStoreCache`** + + Registers a `IIdentityProviderStore` decorator implementation which will maintain an in-memory cache of + `IdentityProvider` configuration objects. + The cache duration is configurable on the `Caching` configuration options on the `IdentityServerOptions`. + +## Test Stores + +The `TestUser` class models a user, their credentials, and claims in IdentityServer. + +Use of `TestUser` is similar to the use of the "in-memory" stores in that it is intended for when prototyping, +developing, and/or testing. +The use of `TestUser` is not recommended in production. + +- **`AddTestUsers`** + + Registers `TestUserStore` based on a collection of `TestUser` objects. + `TestUserStore` is e.g. used by the default quickstart UI. + Also registers implementations of `IProfileService` and `IResourceOwnerPasswordValidator` that uses the test users as + a backing store. + +## Signing keys + +Duende IdentityServer needs key material to sign tokens. This key material can +either be created and +[managed automatically](/identityserver/fundamentals/key-management.md#automatic-key-management) +or +[configured statically](/identityserver/fundamentals/key-management.md#static-key-management). + +:::note +We recommend that you use automatic key management. This section covers the +configuration methods needed for manual configuration of signing keys, which are +usually only needed if your license does not include automatic key management or +if you are [migrating](/identityserver/fundamentals/key-management.md#migrating-from-static-keys-to-automatic-key-management) from manually +managed keys to automatic key management. +::: + +Duende IdentityServer supports X.509 certificates (both raw files and a reference to the certificate store), +RSA keys and EC keys for token signatures and validation. Each key can be configured with a (compatible) signing +algorithm, +e.g. RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 or ES512. + +You can configure the key material with the following methods: + +- **`AddSigningCredential`** + + Adds a signing key that provides the specified key material to the various token creation/validation services. + +- **`AddDeveloperSigningCredential`** + + Creates temporary key material at startup time. This is for dev scenarios. The generated key will be persisted in the + local directory by default (or just kept in memory). + +- **`AddValidationKey`** + + Adds a key for validating tokens. They will be used by the internal token validator and will show up in the discovery + document. + +## Additional services + +The following are convenient to add additional features to your IdentityServer. + +- **`AddExtensionGrantValidator`** + + Adds an `IExtensionGrantValidator` implementation for use with extension grants. + +- **`AddSecretParser`** + + Adds an `ISecretParser` implementation for parsing client or API resource credentials. + +- **`AddSecretValidator`** + + Adds an `ISecretValidator` implementation for validating client or API resource credentials against a credential + store. + +- **`AddResourceOwnerValidator`** + + Adds an `IResourceOwnerPasswordValidator` implementation for validating user credentials for the resource owner + password credentials grant type. + +- **`AddProfileService`** + + Adds an`IProfileService` + implementation. + The default implementation (found in `DefaultProfileService`) relies upon the authentication cookie as the only source + of claims for issuing in tokens. + +- **`AddAuthorizeInteractionResponseGenerator`** + + Adds an `IAuthorizeInteractionResponseGenerator` implementation to customize logic at authorization endpoint for when + a user must be shown a UI for error, login, consent, or any other custom page. + The default implementation can be found in the `AuthorizeInteractionResponseGenerator` class, so consider deriving + from this existing class if you need to augment the existing behavior. + +- **`AddCustomAuthorizeRequestValidator`** + + Adds an `ICustomAuthorizeRequestValidator` implementation to customize request parameter validation at the + authorization endpoint. + +- **`AddCustomTokenRequestValidator`** + + Adds an `ICustomTokenRequestValidator` implementation to customize request parameter validation at the token endpoint. + +- **`AddRedirectUriValidator`** + + Adds an `IRedirectUriValidator` implementation to customize redirect URI validation. + +- **`AddAppAuthRedirectUriValidator`** + + Adds an "AppAuth" (OAuth 2.0 for Native Apps) compliant redirect URI validator (does strict validation but also + allows `http://127.0.0.1` with random port). + +- **`AddJwtBearerClientAuthentication`** + + Adds support for client authentication using JWT bearer assertions. + +- **`AddMutualTlsSecretValidators`** + + Adds the X509 secret validators for mutual TLS. + +- **`AddIdentityProviderConfigurationValidator`** + + Adds an IdentityProvider configuration validator. + +- **`AddBackchannelAuthenticationUserValidator`** + + Adds the backchannel login user validator. + +- **`AddBackchannelAuthenticationUserNotificationService`** + + Adds the backchannel login user validator. diff --git a/astro/src/content/docs/identityserver/reference/efoptions/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/efoptions/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/efoptions/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/efoptions/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/v7/efoptions/configuration.md b/astro/src/content/docs/identityserver/reference/v7/efoptions/configuration.md new file mode 100644 index 000000000..08514259c --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/efoptions/configuration.md @@ -0,0 +1,85 @@ +--- +title: "Configuration Options" +description: "Configuration options available when using Entity Framework Core as the configuration store in IdentityServer" +sidebar: + order: 20 +redirect_from: + - /identityserver/v7/reference/efoptions/configuration/ +--- + +## Duende.IdentityServer.EntityFramework.Options.ConfigurationStoreOptions + +These options are configurable when using the Entity Framework Core for +the [configuration store](/identityserver/data/configuration.md): + +You set the options at startup time in your `AddConfigurationStore` method: + +```csharp +// Program.cs +var builder = services.AddIdentityServer() + .AddConfigurationStore(options => + { + // configure options here.. + }) +``` + +### Pooling + +Settings that affect the DbContext pooling feature of Entity Framework Core. + +* **`EnablePooling`** + + Gets or set if EF DbContext pooling is enabled. Defaults to `false`. + + +* **`PoolSize`** + + Gets or set the pool size to use when DbContext pooling is enabled. If not set, the EF default is used. + +### Schema + +Settings that affect the database schema and table names. + +* **`DefaultSchema`** + + Gets or sets the default schema. Defaults to `null`. + +`TableConfiguration` settings for each individual table (schema and name) managed by this feature: + +Identity Resource related tables: + +* **`IdentityResource`** +* **`IdentityResourceClaim`** +* **`IdentityResourceProperty`** + +API Resource related tables: + +* **`ApiResource`** +* **`ApiResourceSecret`** +* **`ApiResourceScope`** +* **`ApiResourceClaim`** +* **`ApiResourceProperty`** + +Client related tables: + +* **`Client`** +* **`ClientGrantType`** +* **`ClientRedirectUri`** +* **`ClientPostLogoutRedirectUri`** +* **`ClientScopes`** +* **`ClientSecret`** +* **`ClientClaim`** +* **`ClientIdPRestriction`** +* **`ClientCorsOrigin`** +* **`ClientProperty`** + +API Scope related tables: + +* **`ApiScope`** +* **`ApiScopeClaim`** +* **`ApiScopeProperty`** + +Identity provider related tables: + +* **`IdentityProvider`** + diff --git a/astro/src/content/docs/identityserver/reference/v7/efoptions/index.md b/astro/src/content/docs/identityserver/reference/v7/efoptions/index.md new file mode 100644 index 000000000..0709a5c6c --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/efoptions/index.md @@ -0,0 +1,11 @@ +--- +title: Entity Framework Core Options +description: Configuration options available when using Entity Framework Core as the storage implementation for IdentityServer. +sidebar: + label: EF Options + order: 1 +redirect_from: + - /identityserver/v7/reference/efoptions/ +--- + +If using the [Entity Framework Core store implementation](/identityserver/data/ef.md), you might need to configure those specific options. diff --git a/astro/src/content/docs/identityserver/reference/v7/efoptions/operational.md b/astro/src/content/docs/identityserver/reference/v7/efoptions/operational.md new file mode 100644 index 000000000..864fc004e --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/efoptions/operational.md @@ -0,0 +1,86 @@ +--- +title: "Operational Options" +description: "Configure Entity Framework Core operational store options including database schema, pooling settings, and cleanup parameters for persisted grants." +sidebar: + order: 10 +redirect_from: + - /identityserver/v7/reference/efoptions/operational/ +--- + +## Duende.IdentityServer.EntityFramework.Options.OperationalStoreOptions + +These options are configurable when using the Entity Framework Core for +the [operational store](/identityserver/data/operational.md): + +You set the options at startup time in your `AddOperationalStore` method: + +```csharp +// Program.cs +builder.Services.AddIdentityServer() + .AddOperationalStore(options => + { + // configure options here.. + }) +``` + +### Pooling + +Settings that affect the DbContext pooling feature of Entity Framework Core. + +* **`EnablePooling`** + + Gets or set if EF DbContext pooling is enabled. Defaults to `false`. + + +* **`PoolSize`** + + Gets or set the pool size to use when DbContext pooling is enabled. If not set, the EF default is used. + +### Schema + +Settings that affect the database schema and table names. + +* **`DefaultSchema`** + + Gets or sets the default schema. Defaults to `null`. + +`TableConfiguration` settings for each individual table (schema and name) managed by this feature: + +* **`PersistedGrants`** +* **`DeviceFlowCodes`** +* **`Keys`** +* **`ServerSideSessions`** + +### Persisted Grants Cleanup + +Settings that affect the background cleanup of expired entries (tokens) from the persisted grants table. + +* **`EnableTokenCleanup`** + + Gets or sets a value indicating whether stale entries will be automatically cleaned up from the database. + This is implemented by periodically connecting to the database (according to the TokenCleanupInterval) from the + hosting application. + Defaults to `false`. + +* **`RemoveConsumedTokens`** + + Gets or sets a value indicating whether consumed tokens will be included in the automatic clean up. + Defaults to `false`. + +* **`TokenCleanupInterval`** + + Gets or sets the token cleanup interval (in seconds). The default is `3600` (1 hour). + +* **`TokenCleanupBatchSize`** + + Gets or sets the number of records to remove per batch operation. + The cleanup job will perform multiple batch operations as long as there are more records to remove than the configured `TokenCleanupBatchSize`. + Defaults to `100`. + +* **`FuzzTokenCleanupStart`** + + The background token cleanup job runs at a configured interval. If multiple nodes run the cleanup + job at the same time there will be updated conflicts in the store. To avoid that, the startup time + can be fuzzed. The first run is scheduled at a random time between the host startup and the configured + TokenCleanupInterval. Subsequent runs are run on the configured TokenCleanupInterval. Defaults to `true` + diff --git a/astro/src/content/docs/identityserver/reference/endpoints/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/endpoints/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/endpoints/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/endpoints/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/authorize.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/authorize.md new file mode 100644 index 000000000..bfe7e39a3 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/authorize.md @@ -0,0 +1,161 @@ +--- +title: "Authorize Endpoint" +description: "Documentation for the authorize endpoint which handles browser-based token and authorization code requests, including authentication and consent flows." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Authorize + order: 3 +redirect_from: + - /identityserver/v7/reference/endpoints/authorize/ + - /identityserver/v7/reference/endpoints/ +--- + +The authorize endpoint can be used to request tokens or authorization codes via the browser. +This process typically involves authentication of the end-user and optionally consent. + +IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 authorize request parameters. For a full list, +see [here](https://openid.net/specs/openid-connect-core-1_0.html#authrequest). + +### Required Parameters + +* **`client_id`** + + identifier of the client + +* **`scope`** + + one or more registered scopes + +* **`redirect_uri`** + + must exactly match one of the allowed redirect URIs for that client + +* **`response_type`** + + specifies the response type + + * **`id_token`** + + * **`token`** + + * ***id_token token*** + + * **`code`** + + * ***code id_token*** + + * ***code id_token token*** + +### Optional Parameters + +* **`response_mode`** + + specifies the response mode + + * **`query`** + + * **`fragment`** + + * **`form_post`** + +* **`state`** + + echos back the state value on the token response, + this is for round tripping state between client and provider, correlating request and response and CSRF/replay + protection. (recommended) + +* **`nonce`** + + echos back the nonce value in the identity token (for replay protection) + + Required when identity tokens is transmitted via the browser channel + +* **`prompt`** + + * **`none`** + + no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) + an error is returned + + * **`login`** + + the login UI will be shown, even if the user is already signed in and has a valid session + + * **`create`** + + the user registration UI will be shown, if the `UserInteraction.CreateAccountUrl` option is set (the option is + null by default, which disables support for this prompt value) + +* **`code_challenge`** + + sends the code challenge for PKCE + +* **`code_challenge_method`** + + * **`plain`** + + indicates that the challenge is using plain text (not recommended) + + * **`S256`** + + indicates the challenge is hashed with SHA256 + +* **`login_hint`** + + can be used to pre-fill the username field on the login page + +* **`ui_locales`** + + gives a hint about the desired display language of the login UI + +* **`max_age`** + + if the user's logon session exceeds the max age (in seconds), the login UI will be shown + +* **`acr_values`** + + allows passing in additional authentication related information - IdentityServer special cases the following + proprietary acr_values: + + * **`idp:name_of_idp`** + + bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed + per client configuration) + + * **`tenant:name_of_tenant`** + + can be used to pass a tenant name to the login UI + +* **`request`** + + instead of providing all parameters as individual query string parameters, you can provide a subset or all them as + a JWT + +* **`request_uri`** + + URL of a pre-packaged JWT containing request parameters + +```text +GET /connect/authorize? + client_id=client1& + scope=openid email api1& + response_type=id_token token& + redirect_uri=https://myapp/callback& + state=abc& + nonce=xyz +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically create +authorize request URLs from .NET code. + +```csharp +var ru = new RequestUrl("https://demo.duendesoftware.com/connect/authorize"); + +var url = ru.CreateAuthorizeUrl( + clientId: "client", + responseType: "code", + redirectUri: "https://app.com/callback", + scope: "openid"); +``` \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/ciba.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/ciba.md new file mode 100644 index 000000000..c444d1385 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/ciba.md @@ -0,0 +1,156 @@ +--- +title: "Backchannel Authentication Endpoint" +description: "Documentation for the CIBA endpoint which allows clients to initiate backchannel authentication requests for users without browser interaction" +sidebar: + label: Backchannel Authentication + order: 10 +redirect_from: + - /identityserver/v7/reference/endpoints/ciba/ +--- + +The backchannel authentication endpoint is used by a client to initiate a [CIBA](/identityserver/ui/ciba.md) request. + +Clients must be configured with the `"urn:openid:params:grant-type:ciba"` grant type to use this endpoint. +You can use the `OidcConstants.GrantTypes.Ciba` constant rather than hard coding the value for the CIBA grant type. + +### Required Parameters + +* **`scope`** + + one or more registered scopes + +:::note +The client id and a client credential is required to authenticate to the endpoint using any valid form of authentication +that has been configured for it (much like the token endpoint). +::: + +### Exactly One Of These Values Is Required + +* **`login_hint`** + + hint for the end user to be authenticated. the value used is implementation specific. + +* **`id_token_hint`** + + a previously issued id_token for the end user to be authenticated + +* **`login_hint_token`** + + a token containing information for the end user to be authenticated. the details are implementation specific. + +:::note +To validate these implementation specific values and use them to identity the user that is to be authenticated, you are +required to implement the `IBackchannelAuthenticationUserValidator` interface. +::: + +### Optional Parameters + +* **`binding_message`** + + identifier or message intended to be displayed on both the consumption device and the authentication device + +* **`user_code`** + + a secret code, such as a password or pin, that is known only to the user but verifiable by the OP + +* **`requested_expiry`** + + a positive integer allowing the client to request the expires_in value for the auth_req_id the server will return. if + not present, then the optional `CibaLifetime` property on the `Client` is used, and if that is not present, then the + `DefaultLifetime` on the `CibaOptions` will be used. + +* **`acr_values`** + + allows passing in additional authentication related information - IdentityServer special cases the following + proprietary acr_values: + + * **`idp:name_of_idp`** + + bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed + per client configuration) + + * **`tenant:name_of_tenant`** + + can be used to pass a tenant name to the login UI + +* **`resource`** + + resource indicator identifying the `ApiResource` for which the access token should be restricted to + +* **`request`** + + instead of providing all parameters as individual parameters, you can provide all them as a JWT + +```http request +POST /connect/ciba + + client_id=client1& + client_secret=secret& + scope=openid api1& + login_hint=alice +``` + +And a successful response will look something like: + +```http request +HTTP/1.1 200 OK +Content-Type: application/json +Cache-Control: no-store + +{ + "auth_req_id": "1C266114A1BE42528AD104986C5B9AC1", + "expires_in": 600, + "interval": 5 +} +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +using Duende.IdentityModel.Client; + +var client = new HttpClient(); + +var cibaResponse = await client.RequestBackchannelAuthenticationAsync(new BackchannelAuthenticationRequest +{ + Address = "https://demo.duendesoftware.com/connect/ciba", + ClientId = "client1", + ClientSecret = "secret", + Scope = "openid api1", + LoginHint = "alice", +}); +``` + +And with a successful response, it can be used to poll the token endpoint: + +```csharp +while (true) +{ + var response = await client.RequestBackchannelAuthenticationTokenAsync(new BackchannelAuthenticationTokenRequest + { + Address = "https://demo.duendesoftware.com/connect/token", + ClientId = "client1", + ClientSecret = "secret", + AuthenticationRequestId = cibaResponse.AuthenticationRequestId + }); + + if (response.IsError) + { + if (response.Error == OidcConstants.TokenErrors.AuthorizationPending || response.Error == OidcConstants.TokenErrors.SlowDown) + { + await Task.Delay(cibaResponse.Interval.Value * 1000); + } + else + { + throw new Exception(response.Error); + } + } + else + { + // success! use response.IdentityToken, response.AccessToken, and response.RefreshToken (if requested) + } +} +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/device-authorization.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/device-authorization.md new file mode 100644 index 000000000..b2fdf1dcb --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/device-authorization.md @@ -0,0 +1,50 @@ +--- +title: "Device Authorization Endpoint" +description: "Documentation for the device authorization endpoint which handles device flow authentication requests and issues device and user codes for authorization." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Device Authorization + order: 9 +redirect_from: + - /identityserver/v7/reference/endpoints/device_authorization/ +--- + +The device authorization endpoint can be used to request device and user codes. +This endpoint is used to start the device flow authorization process. + +* **`client_id`** + + client identifier (required) + +* **`client_secret`** + + client secret either in the post body, or as a basic authentication header. Optional. + +* **`scope`** + + one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued + +```text +POST /connect/deviceauthorization + + client_id=client1& + client_secret=secret& + scope=openid api1 +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +using Duende.IdentityModel.Client; + +var client = new HttpClient(); + +var response = await client.RequestDeviceAuthorizationAsync(new DeviceAuthorizationRequest +{ + Address = "https://demo.duendesoftware.com/connect/device_authorize", + ClientId = "device" +}); +``` \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/discovery.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/discovery.md new file mode 100644 index 000000000..26c584847 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/discovery.md @@ -0,0 +1,86 @@ +--- +title: "Discovery Endpoint" +description: "Learn about the discovery endpoint that provides metadata about your IdentityServer configuration, including issuer name, key material, and supported scopes." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Discovery + order: 1 +redirect_from: + - /identityserver/v7/reference/endpoints/discovery/ +--- + +The [discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) can be used to retrieve metadata +about your IdentityServer - it returns information like the issuer name, key material, supported scopes etc. + +The discovery endpoint is available via `/.well-known/openid-configuration` relative to the base address, e.g.: + +```text +https://demo.duendesoftware.com/.well-known/openid-configuration +``` + +## Issuer Name and Path Base + +When your IdentityServer is hosted in an application that uses [ASP.NET Core's `PathBaseMiddleware`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.extensions.usepathbasemiddleware), the base path will be +included in the issuer name and discovery document URLs. For example, if your application is configured with a path base +of `/identity`, your configuration will look like this: + +```csharp title="Program.cs" +var builder = WebApplication.CreateBuilder(args); + +// 👨‍💻 configure Application Host + +var app = builder.Build(); +app.UseSerilogRequestLogging(); + +if (app.Environment.IsDevelopment()) +{ + app.UseDeveloperExceptionPage(); +} + +// 👋 Configuring the path base +app.UsePathBase("/identity"); + +app.UseStaticFiles(); +app.UseRouting(); + +app.UseIdentityServer(); +app.UseAuthorization(); + +app.MapRazorPages() + .RequireAuthorization(); + +return app; +``` + +And the discovery document will look like this: + +```json title=".well-known/openid-configuration" +{ + "issuer": "https://localhost:5001/identity", + "jwks_uri": "https://localhost:5001/identity/.well-known/openid-configuration/jwks", + "authorization_endpoint": "https://localhost:5001/identity/connect/authorize", + "token_endpoint": "https://localhost:5001/identity/connect/token", + "userinfo_endpoint": "https://localhost:5001/identity/connect/userinfo", + "end_session_endpoint": "https://localhost:5001/identity/connect/endsession", + "check_session_iframe": "https://localhost:5001/identity/connect/checksession", + "revocation_endpoint": "https://localhost:5001/identity/connect/revocation", + "introspection_endpoint": "https://localhost:5001/identity/connect/introspect", + "device_authorization_endpoint": "https://localhost:5001/identity/connect/deviceauthorization", + "backchannel_authentication_endpoint": "https://localhost:5001/identity/connect/ciba", + "pushed_authorization_request_endpoint": "https://localhost:5001/identity/connect/par" +} +``` + +This can be helpful when configuring IdentityServer in a multi-tenant scenario where the base path is used to +identify the tenant. + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +var client = new HttpClient(); + +var disco = await client.GetDiscoveryDocumentAsync("https://demo.duendesoftware.com"); +``` \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/end-session.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/end-session.md new file mode 100644 index 000000000..0f072f91d --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/end-session.md @@ -0,0 +1,54 @@ +--- +title: "End Session Endpoint" +description: "The end session endpoint enables single sign-out functionality in OpenID Connect, allowing users to terminate their sessions across multiple client applications." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: End Session + order: 8 +redirect_from: + - /identityserver/v7/reference/endpoints/end_session/ +--- + +The end session endpoint can be used to trigger single sign-out in the browser ( +see [spec](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)). + +To use the end session endpoint a client application will redirect the user's browser to the end session URL. +All applications that the user has logged into via the browser during the user's session can participate in the +sign-out. + +The URL for the end session endpoint is available via discovery. + +* **`id_token_hint`** + + When the user is redirected to the endpoint, they will be prompted if they really want to sign-out. + This prompt can be bypassed by a client sending the original `id_token` received from authentication. + This is passed as a query string parameter called `id_token_hint`. + +* **`post_logout_redirect_uri`** + + If a valid `id_token_hint` is passed, then the client may also send a `post_logout_redirect_uri` parameter. + This can be used to allow the user to redirect back to the client after sign-out. + The value must match one of the client's pre-configured `PostLogoutRedirectUris`. + +* **`state`** + + If a valid `post_logout_redirect_uri` is passed, then the client may also send a `state` parameter. + This will be returned back to the client as a query string parameter after the user redirects back to the client. + This is typically used by clients to roundtrip state across the redirect. + +```text +GET /connect/endsession?id_token_hint=...&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A7017%2Findex.html +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically create end +sessions request URLs from .NET code. + +```csharp +var ru = new RequestUrl("https://demo.duendesoftware.com/connect/end_session"); + +var url = ru.CreateEndSessionUrl( + idTokenHint: "...", + postLogoutRedirectUri: "..."); +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/introspection.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/introspection.md new file mode 100644 index 000000000..87391cb5f --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/introspection.md @@ -0,0 +1,125 @@ +--- +title: "Introspection Endpoint" +description: "Documentation for the RFC 7662 compliant introspection endpoint used to validate reference tokens, JWTs, and refresh tokens." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Introspection + order: 6 +redirect_from: + - /identityserver/v7/reference/endpoints/introspection/ +--- + +The introspection endpoint is an implementation of [RFC 7662](https://tools.ietf.org/html/rfc7662). + +It can be used to validate reference tokens, JWTs (if the consumer does not have support for appropriate JWT or +cryptographic libraries) and refresh tokens. Refresh tokens can only be introspected by the client that requested them. + +The introspection endpoint requires authentication. Since the request to the introspection endpoint is typically done by an API, which is not an OAuth client, the [`ApiResource`](/identityserver/fundamentals/resources/api-resources.md) is used to configure credentials: + +```csharp +new ApiResource("resource1") +{ + Scopes = { "scope1", "scope2" }, // Replace "scope1", "scope2" with the actual scopes required for your API + + ApiSecrets = + { + new Secret("secret".Sha256()) + } +} +``` +Here the id used for authentication is the name of the `ApiResource`: "resource1" and the secret the configured secret. The introspection endpoint uses HTTP basic auth to communicate these credentials: + +```text +POST /connect/introspect +Authorization: Basic xxxyyy + +token= +``` + +A successful response will return a status code of 200, the token claims, the token type, and a flag indicating the token is active: + +```json +{ + "iss": "https://localhost:5001", + "nbf": 1729599599, + "iat": 1729599599, + "exp": 1729603199, + "client_id": "client", + "jti": "44FD2DE9E9F8E9F4DDD141CD7C244BE9", + "scope": "api1", + "token_type": "access_token", + "active": true +} +``` + +Unknown or expired tokens will be marked as inactive: + +```json +{ + "active": false +} +``` + +An invalid request will return a 400, an unauthorized request 401. + +## JWT Response from Introspection Endpoint :badge[v7.3] + +IdentityServer supports [RFC 9701](https://www.rfc-editor.org/rfc/rfc9701.html) to return a JWT response from the +introspection endpoint. + +To return a JWT response, set the `Accept` header in the HTTP request to `application/token-introspection+jwt`: + +```text +POST /connect/introspect +Accept: application/token-introspection+jwt +Authorization: Basic xxxyyy + +token= +``` + +A successful response will return a status code of 200 and has a `Content-Type: application/token-introspection+jwt` header, +indicating that the response body contains a raw JWT instead. The base64 decoded JWT will have a `typ` claim in the header with +the value `token-introspection+jwt`. The token's payload contains a `token_introspection` JSON object similar to the default response type: + +```json +{ + "alg": "RS256", + "kid": "BE9D78519A8BBCB28A65FADEECF49CBC", + "typ": "token-introspection+jwt" +}.{ + "iss": "https://localhost:5001", + "iat": 1729599599, + "aud": "api1", + "token_introspection": { + "iss": "https://localhost:5001", + "nbf": 1729599599, + "iat": 1729599599, + "exp": 1729603199, + "aud": [ "api1" ], + "client_id": "client", + "jti": "44FD2DE9E9F8E9F4DDD141CD7C244BE9", + "active": true, + "scope": "api1" + } +}.[Signature] +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +using Duende.IdentityModel.Client; + +var client = new HttpClient(); + +var response = await client.IntrospectTokenAsync(new TokenIntrospectionRequest +{ + Address = "https://demo.duendesoftware.com/connect/introspect", + ClientId = "resource1", + ClientSecret = "secret", + + Token = "" // Replace with the actual token +}); +``` \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/endpoints/oauth-metadata.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/oauth-metadata.md similarity index 89% rename from astro/src/content/docs/identityserver/reference/endpoints/oauth-metadata.md rename to astro/src/content/docs/identityserver/reference/v7/endpoints/oauth-metadata.md index 158ed0b44..eb5699bb9 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/oauth-metadata.md +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/oauth-metadata.md @@ -21,5 +21,5 @@ https://demo.duendesoftware.com/.well-known/oauth-authorization-server When hosting IdentityServer in an application that uses [ASP.NET Core's `PathBaseMiddleware`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.extensions.usepathbasemiddleware), the base path will be included in the issuer name and discovery document URLs. -Refer the [Discovery Endpoint](/identityserver/reference/endpoints/discovery.md#issuer-name-and-path-base) +Refer the [Discovery Endpoint](/identityserver/reference/v7/endpoints/discovery.md#issuer-name-and-path-base) for more information. diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/revocation.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/revocation.md new file mode 100644 index 000000000..9815caa44 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/revocation.md @@ -0,0 +1,50 @@ +--- +title: "Revocation Endpoint" +description: "Learn about the revocation endpoint that allows invalidating access and refresh tokens according to RFC 7009 specification." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Revocation + order: 7 +redirect_from: + - /identityserver/v7/reference/endpoints/revocation/ +--- + +This endpoint allows revoking access tokens (reference tokens only) and refresh token. +It implements the token revocation specification [(RFC 7009)](https://tools.ietf.org/html/rfc7009). + +* **`token`** + + the token to revoke (required) + +* **`token_type_hint`** + + either `access_token` or `refresh_token` (optional) + +```text +POST /connect/revocation HTTP/1.1 +Host: server.example.com +Content-Type: application/x-www-form-urlencoded +Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW + +token=...&token_type_hint=refresh_token +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +using Duende.IdentityModel.Client; + +var client = new HttpClient(); + +var result = await client.RevokeTokenAsync(new TokenRevocationRequest +{ + Address = "https://demo.duendesoftware.com/connect/revocation", + ClientId = "client", + ClientSecret = "secret", + + Token = token +}); +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/token.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/token.md new file mode 100644 index 000000000..956133cdd --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/token.md @@ -0,0 +1,120 @@ +--- +title: "Token Endpoint" +description: "Documentation for the token endpoint that enables programmatic token requests using various grant types and parameters in Duende IdentityServer." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Token + order: 4 +redirect_from: + - /identityserver/v7/reference/endpoints/token/ +--- + +The token endpoint can be used to programmatically request tokens. + +Duende IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 token request parameters. For a full list, +see [here](https://openid.net/specs/openid-connect-core-1_0.html#tokenrequest). + +### Required Parameters + +* **`client_id`** + + client identifier; not necessary in body if it is present in the authorization header + +* **`grant_type`** + + * **`authorization_code`** + + * **`client_credentials`** + + * **`password`** + + * **`refresh_token`** + + * **`urn:ietf:params:oauth:grant-type:device_code`** + + * ***extension grant*** + +### Optional Parameters + +* **`client_secret`** + + client secret for confidential/credentials clients - either in the post body, or as a basic authentication header. + +* **`scope`** + + one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued. + +* **`redirect_uri`** + + required for the `authorization_code` grant type + +* **`code`** + + the authorization code (required for `authorization_code` grant type) + +* **`code_verifier`** + + PKCE proof key + +* **`username`** + + resource owner username (required for `password` grant type) + +* **`password`** + + resource owner password (required for `password` grant type) + +* **`acr_values`** + + allows passing in additional authentication related information. Duende IdentityServer special cases the following + proprietary acr_values + + * **`tenant:name_of_tenant`** + + can be used to pass a tenant name to the token endpoint + +* **`refresh_token`** + + the refresh token (required for `refresh_token` grant type) + +* **`device_code`** + + the device code (required for `urn:ietf:params:oauth:grant-type:device_code` grant type) + +* **`auth_req_id`** + + the backchannel authentication request id (required for `urn:openid:params:grant-type:ciba` grant type) + +```text +POST /connect/token +CONTENT-TYPE application/x-www-form-urlencoded + + client_id=client1& + client_secret=secret& + grant_type=authorization_code& + code=hdh922& + redirect_uri=https://myapp.com/callback +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +using Duende.IdentityModel.Client; + +var client = new HttpClient(); + +var response = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest +{ + Address = TokenEndpoint, + + ClientId = "client", + ClientSecret = "secret", + + Code = "...", + CodeVerifier = "...", + RedirectUri = "https://app.com/callback" +}); +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/endpoints/userinfo.md b/astro/src/content/docs/identityserver/reference/v7/endpoints/userinfo.md new file mode 100644 index 000000000..5ba665afd --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/endpoints/userinfo.md @@ -0,0 +1,65 @@ +--- +title: "UserInfo Endpoint" +description: "Reference documentation for the UserInfo endpoint, which allows retrieval of authenticated user claims using a valid access token." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: UserInfo + order: 5 +redirect_from: + - /identityserver/v7/reference/endpoints/userinfo/ +--- + +The UserInfo endpoint can be used to retrieve claims about a user ( +see [spec](https://openid.net/specs/openid-connect-core-1_0.html#userinfo)). + +The caller needs to send a valid access token. +Depending on the granted scopes, the UserInfo endpoint will return the mapped claims (at least the `openid` scope is +required). + +```text +GET /connect/userinfo +Authorization: Bearer +``` + +```text +HTTP/1.1 200 OK +Content-Type: application/json + +{ + "sub": "248289761001", + "name": "Bob Smith", + "given_name": "Bob", + "family_name": "Smith" +} +``` + +## .NET Client Library + +You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with +the protocol endpoint from .NET code. + +```csharp +using Duende.IdentityModel.Client; + +var client = new HttpClient(); + +var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001"); + +var token = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest +{ + Address = disco.TokenEndpoint, + + ClientId = "client", + ClientSecret = "secret", + + Code = "...", + CodeVerifier = "...", + RedirectUri = "https://app.com/callback" +}); + +var userInfo = await client.GetUserInfoAsync(new UserInfoRequest +{ + Address = disco.UserInfoEndpoint, + Token = token.AccessToken +}); +``` \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/models/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/models/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/models/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/models/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/v7/models/api-resource.md b/astro/src/content/docs/identityserver/reference/v7/models/api-resource.md new file mode 100644 index 000000000..5ac0db2b5 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/api-resource.md @@ -0,0 +1,94 @@ +--- +title: "API Resource" +description: "Reference documentation for the ApiResource class which models an API in Duende IdentityServer, including its properties and configuration options." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 30 +redirect_from: + - /identityserver/v7/reference/models/api_resource/ + - /identityserver/v7/reference/models/ +--- + +## Duende.IdentityServer.Models.ApiResource + +This class models an API. + +* **`Enabled`** + + Indicates if this resource is enabled and can be requested. Defaults to true. + +* **`Name`** + + The unique name of the API. This value is used for authentication with introspection and will be added to the audience + of the outgoing access token. + +* **`DisplayName`** + + This value can be used e.g. on the consent screen. + +* **`Description`** + + This value can be used e.g. on the consent screen. + +* **`RequireResourceIndicator`** + + Indicates if this API resource requires the resource indicator to request it, and expects access tokens issued to it + will only ever contain this API resource as the audience. + +* **`ApiSecrets`** + + The API secret is used for the introspection endpoint. The API can authenticate with introspection using the API name + and secret. + +* **`AllowedAccessTokenSigningAlgorithms`** + + List of allowed signing algorithms for access token. If empty, will use the server default signing algorithm. + +* **`UserClaims`** + + List of associated user claim types that should be included in the access token. + +* **`Scopes`** + + List of API scope names. You need to create those using [ApiScope](/identityserver/reference/v7/models/api-scope.md). + +## Defining API resources In appsettings.json + +The `AddInMemoryApiResource` extensions method also supports adding API resources from the ASP.NET Core configuration +file: + + "IdentityServer": { + "IssuerUri": "urn:sso.company.com", + "ApiResources": [ + { + "Name": "resource1", + "DisplayName": "Resource #1", + + "Scopes": [ + "resource1.scope1", + "shared.scope" + ] + }, + { + "Name": "resource2", + "DisplayName": "Resource #2", + + "UserClaims": [ + "name", + "email" + ], + + "Scopes": [ + "resource2.scope1", + "shared.scope" + ] + } + ] + } + +Then pass the configuration section to the `AddInMemoryApiResource` method: + +```csharp +// Program.cs +idsvrBuilder.AddInMemoryApiResources(configuration.GetSection("IdentityServer:ApiResources")) +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/models/api-scope.md b/astro/src/content/docs/identityserver/reference/v7/models/api-scope.md new file mode 100644 index 000000000..2e2ff8405 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/api-scope.md @@ -0,0 +1,75 @@ +--- +title: "API Scope" +description: "Reference documentation for the ApiScope class which models an OAuth scope in Duende IdentityServer, including its properties and configuration options." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 25 +redirect_from: + - /identityserver/v7/reference/models/api_scope/ +--- + +## Duende.IdentityServer.Models.ApiScope + +This class models an OAuth scope. + +* **`Enabled`** + + Indicates if this resource is enabled and can be requested. Defaults to true. + +* **`Name`** + + The unique name of the API. This value is used for authentication with introspection and will be added to the audience + of the outgoing access token. + +* **`DisplayName`** + + This value can be used e.g. on the consent screen. + +* **`Description`** + + This value can be used e.g. on the consent screen. + +* **`UserClaims`** + + List of associated user claim types that should be included in the access token. + +## Defining API Scope In appsettings.json + +The `AddInMemoryApiResource` extension method also supports adding clients from the ASP.NET Core configuration file: + +```json +{ + "IdentityServer": { + "IssuerUri": "urn:sso.company.com", + "ApiScopes": [ + { + "Name": "IdentityServerApi" + }, + { + "Name": "resource1.scope1" + }, + { + "Name": "resource2.scope1" + }, + { + "Name": "scope3" + }, + { + "Name": "shared.scope" + }, + { + "Name": "transaction", + "DisplayName": "Transaction", + "Description": "A transaction" + } + ] + } +} +``` + +Then pass the configuration section to the `AddInMemoryApiScopes` method: + +```csharp +// Program.cs +idsvrBuilder.AddInMemoryApiScopes(configuration.GetSection("IdentityServer:ApiScopes")) +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/models/ciba-login-request.md b/astro/src/content/docs/identityserver/reference/v7/models/ciba-login-request.md new file mode 100644 index 000000000..4ff7ae3b8 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/ciba-login-request.md @@ -0,0 +1,48 @@ +--- +title: "Backchannel User Login Request" +description: "Reference documentation for the BackchannelUserLoginRequest class which models the information needed to initiate a user login request for Client Initiated Backchannel Authentication (CIBA)." +sidebar: + order: 80 +redirect_from: + - /identityserver/v7/reference/models/ciba_login_request/ +--- + +## Duende.IdentityServer.Models.BackchannelUserLoginRequest + +Models the information to initiate a user login request for [CIBA](/identityserver/ui/ciba.md). + +* **`InternalId`** + + Ihe identifier of the request in the store. + +* **`Subject`** + + The subject for whom the login request is intended. + +* **`BindingMessage`** + + The binding message used in the request. + +* **`AuthenticationContextReferenceClasses`** + + The acr_values used in the request. + +* **`Tenant`** + + The tenant value from the acr_values used the request. + +* **`IdP`** + + The idp value from the acr_values used in the request. + +* **`RequestedResourceIndicators`** + + The resource indicator values used in the request. + +* **`Client`** + + The client that initiated the request. + +* **`ValidatedResources`** + + The validated resources (i.e. scopes) used in the request. diff --git a/astro/src/content/docs/identityserver/reference/v7/models/client.md b/astro/src/content/docs/identityserver/reference/v7/models/client.md new file mode 100644 index 000000000..bc45a9227 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/client.md @@ -0,0 +1,359 @@ +--- +title: "Client" +description: "Reference documentation for the Client class which models an OpenID Connect or OAuth 2.0 client in Duende IdentityServer, including configuration for authentication, tokens, consent, refresh tokens, and advanced features." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 35 +redirect_from: + - /identityserver/v7/reference/models/client/ +--- + +## Duende.IdentityServer.Models.Client + +The `Client` class models an OpenID Connect or OAuth 2.0 client - +e.g. a native application, a web application or a JS-based application. + +```csharp +public static IEnumerable Get() +{ + return new List + { + /////////////////////////////////////////// + // machine to machine client + ////////////////////////////////////////// + new Client + { + ClientId = "machine", + ClientSecrets = { Configuration["machine.secret"] }, + + AllowedGrantTypes = GrantTypes.ClientCredentials, + + AllowedScopes = machineScopes + }, + + /////////////////////////////////////////// + // web client + ////////////////////////////////////////// + new Client + { + ClientId = "web", + + ClientSecrets = { new Secret(Configuration["web.secret"]) }, + + AllowedGrantTypes = GrantTypes.Code, + + RedirectUris = { "https://myapp.com:/signin-oidc" }, + PostLogoutRedirectUris = { "https://myapp.com/signout-callback-oidc" }, + + BackChannelLogoutUri = "https://myapp.com/backchannel-logout", + + AllowOfflineAccess = true, + AllowedScopes = webScopes + } + } +} +``` + +## Basics + +* **`Enabled`** + + Specifies if client is enabled. Defaults to `true`. + +* **`ClientId`** + + Unique ID of the client + +* **`ClientSecrets`** + + List of client secrets - credentials to access the token endpoint. + +* **`RequireClientSecret`** + + Specifies whether this client needs a secret to request tokens from the token endpoint (defaults to `true`) + +* **`RequireRequestObject`** + + Specifies whether this client needs to wrap the authorize request parameters in a JWT (defaults to `false`) + +* **`AllowedGrantTypes`** + + Specifies the grant types the client is allowed to use. Use the `GrantTypes` class for common combinations. + +* **`RequirePkce`** + + Specifies whether clients using an authorization code based grant type must send a proof key (defaults to `true`). + +* **`AllowPlainTextPkce`** + + Specifies whether clients using PKCE can use a plain text code challenge (not recommended - and defaults to `false`) + +* **`RedirectUris`** + + Specifies the allowed URIs to return tokens or authorization codes to + +* **`AllowedScopes`** + + By default, a client has no access to any resources - specify the allowed resources by adding the corresponding scopes + names + +* **`AllowOfflineAccess`** + + Specifies whether this client can request refresh tokens (be requesting the `offline_access` scope) + +* **`AllowAccessTokensViaBrowser`** + + Specifies whether this client is allowed to receive access tokens via the browser. + This is useful to harden flows that allow multiple response types + (e.g. by disallowing a hybrid flow client that is supposed to use *code id_token* to add the `token` response type + and thus leaking the token to the browser). + +* **`Properties`** + + Dictionary to hold any custom client-specific values as needed. + +## Authentication / Session Management + +* **`PostLogoutRedirectUris`** + + Specifies allowed URIs to redirect to after logout. + +* **`FrontChannelLogoutUri`** + + Specifies logout URI at client for HTTP based front-channel logout. + +* **`FrontChannelLogoutSessionRequired`** + + Specifies if the user's session id should be sent to the FrontChannelLogoutUri. Defaults to true. + +* **`BackChannelLogoutUri`** + + Specifies logout URI at client for HTTP based back-channel logout. + +* **`BackChannelLogoutSessionRequired`** + + Specifies if the user's session id should be sent in the request to the BackChannelLogoutUri. Defaults to true. + +* **`EnableLocalLogin`** + + Specifies if this client can use local accounts, or external IdPs only. Defaults to `true`. + +* **`IdentityProviderRestrictions`** + + Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty. + +* **`UserSsoLifetime`** + + The maximum duration (in seconds) since the last time the user authenticated. Defaults to `null`. + You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials + instead of being silently authenticated, when using a web application. + +* **`AllowedCorsOrigins`** + + If specified, will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS + policy for JavaScript clients. + +* **`CoordinateLifetimeWithUserSession`** (added in v6.1) + + When enabled, the client's token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime. + This means when the user logs out, any revokable tokens will be removed. + If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be + triggered. + This client's setting overrides the global `CoordinateClientLifetimesWithUserSession` configuration setting. + +## Token + +* **`IdentityTokenLifetime`** + + Lifetime to identity token in seconds (defaults to 300 seconds / 5 minutes) + +* **`AllowedIdentityTokenSigningAlgorithms`** + + List of allowed signing algorithms for identity token. If empty, will use the server default signing algorithm. + +* **`AccessTokenLifetime`** + + Lifetime of access token in seconds (defaults to 3600 seconds / 1 hour) + +* **`AuthorizationCodeLifetime`** + + Lifetime of authorization code in seconds (defaults to 300 seconds / 5 minutes) + +* **`AccessTokenType`** + + Specifies whether the access token is a reference token or a self-contained JWT token (defaults to `Jwt`). + +* **`IncludeJwtId`** + + Specifies whether JWT access tokens should have an embedded unique ID (via the `jti` claim). Defaults to `true`. + +* **`Claims`** + + Allows settings claims for the client (will be included in the access token). + +* **`AlwaysSendClientClaims`** + + If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is `false`) + +* **`AlwaysIncludeUserClaimsInIdToken`** + + When requesting both an id token and access token, should the user claims always be added to the id token instead of + requiring the client to use the userinfo endpoint. Default is `false`. + +* **`ClientClaimsPrefix`** + + If set, the prefix client claim types will be prefixed with. Defaults to `client`_. The intent is to make sure they + don't accidentally collide with user claims. + +* **`PairWiseSubjectSalt`** + Salt value used in pair-wise subjectId generation for users of this client. + Currently not implemented. + +## Refresh Token + +* **`AbsoluteRefreshTokenLifetime`** + + Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days. + + Setting this to 0 has the following effect: + + - When `RefreshTokenExpiration` is set to `Absolute`, the behavior is the same as when no refresh tokens are used. + - When `RefreshTokenExpiration` is set to `Sliding`, refresh tokens only expire after the + `SlidingRefreshTokenLifetime` has passed. + + +* **`SlidingRefreshTokenLifetime`** + + Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days. + +* **`RefreshTokenUsage`** + * **`ReUse`** + + the refresh token handle will stay the same when refreshing tokens. This is the default. + + * **`OneTimeOnly`** + + the refresh token handle will be updated when refreshing tokens. + +* **`RefreshTokenExpiration`** + * **`Absolute`** + + the refresh token will expire on a fixed point in time (specified by the `AbsoluteRefreshTokenLifetime`). This is + the default. + + * **`Sliding`** + + when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in + `SlidingRefreshTokenLifetime`). The lifetime will not exceed `AbsoluteRefreshTokenLifetime`. + +* **`UpdateAccessTokenClaimsOnRefresh`** + + Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token + request. + +## Consent Screen + +Consent screen specific settings. + +* **`RequireConsent`** + + Specifies whether a consent screen is required. Defaults to `false`. + +* **`AllowRememberConsent`** + + Specifies whether user can choose to store consent decisions. Defaults to `true`. + +* **`ConsentLifetime`** + + Lifetime of a user consent in seconds. Defaults to null (no expiration). + +* **`ClientName`** + + Client display name (used for logging and consent screen). + +* **`ClientUri`** + + URI to further information about client. + +* **`LogoUri`** + + URI to client logo. + +## Cross Device Flows + +Settings used in the CIBA and OAuth device flows. + +* **`PollingInterval`** + + Maximum polling interval for the client in cross device flows. If the client polls more frequently than the polling + interval during those flows, it will receive a `slow_down` error response. Defaults to `null`, which means the + throttling will use the global default appropriate for the flow (`IdentityServerOptions.Ciba.DefaultPollingInterval` + or `IdentityServerOptions.DeviceFlow.Interval`). + +#### Device Flow + +Device flow specific settings. + +* **`UserCodeType`** + + Specifies the type of user code to use for the client. Otherwise, falls back to default. + +* **`DeviceCodeLifetime`** + + Lifetime to device code in seconds (defaults to 300 seconds / 5 minutes) + +#### CIBA + +Client initiated backchannel authentication specific settings. + +* **`CibaLifetime`** + + Specifies the backchannel authentication request lifetime in seconds. Defaults to `null`. + +## DPoP + +Added in 6.3.0. + +Settings specific to the Demonstration of Proof-of-Possession at the Application +Layer ([DPoP](/identityserver/tokens/pop.md)) feature. + +* **`RequireDPoP`** + + Specifies whether a DPoP (Demonstrating Proof-of-Possession) token is required to be used by this client. Defaults to + `false`. + +* **`DPoPValidationMode`** + + Enum setting to control validation for the DPoP proof token expiration. This supports both the client generated 'iat' + value and/or the server generated 'nonce' value. Defaults to `DPoPTokenExpirationValidationMode.Iat`, which only + validates the 'iat' value. + +* **`DPoPClockSkew`** + + Clock skew used in validating the client's DPoP proof token 'iat' claim value. Defaults to *5 minutes*. + +## Third-Party Initiated Login + +Added in 6.3.0. + +* **`InitiateLoginUri`** + + An optional URI that can be used + to [initiate login](https://openid.net/specs/openid-connect-core-1_0.html#thirdpartyinitiatedlogin) from the + IdentityServer host or a third party. This is most commonly used to create a client application portal within the + IdentityServer host. Defaults to null. + +## Pushed Authorization Requests + +Added in 7.0.0 + +* **`RequirePushedAuthorization`** + + Controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's + flag is enabled (this can't be used to opt out of the global configuration). This defaults to `false`, which means the + global configuration will be used. + +* **`PushedAuthorizationLifetime`** + + Controls the lifetime of pushed authorization requests for a client. If this lifetime is set, it takes precedence over + the global configuration. This defaults to `null`, which means the global configuration is used. diff --git a/astro/src/content/docs/identityserver/reference/v7/models/grant-validation-result.md b/astro/src/content/docs/identityserver/reference/v7/models/grant-validation-result.md new file mode 100644 index 000000000..0fa04bccd --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/grant-validation-result.md @@ -0,0 +1,68 @@ +--- +title: "Grant Validation Result" +description: "Reference documentation for the GrantValidationResult class which models the outcome of grant validation for extension grants and resource owner password grants in Duende IdentityServer." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 45 +redirect_from: + - /identityserver/v7/reference/models/grant_validation_result/ +--- + +## Duende.IdentityServer.Validation.GrantValidationResult + +The `GrantValidationResult` class models the outcome of grant validation +for [extensions grants](/identityserver/tokens/extension-grants.md) +and [resource owner password grants](/identityserver/tokens/password-grant.md). + +It models either a successful validation result with claims (e.g. subject ID) or an invalid result with an error code +and message, e.g.: + +```csharp +public class ExtensionGrantValidator : IExtensionGrantValidator +{ + public Task ValidateAsync(ExtensionGrantValidationContext context) + { + // some validation steps + + if (success) + { + context.Result = new GrantValidationResult( + subject: "818727", + authenticationMethod: "custom", + claims: extraClaims); + } + else + { + // custom error message + context.Result = new GrantValidationResult( + TokenRequestErrors.InvalidGrant, + "invalid custom credential"); + } + + return Task.CompletedTask; + } +} +``` + +It also allows passing additional custom values that will be included in the token response, e.g.: + +```csharp +context.Result = new GrantValidationResult( + subject: "818727", + authenticationMethod: "custom", + customResponse: new Dictionary + { + { "some_data", "some_value" } + }); +``` + +This will result in the following token response: + +```json +{ + "access_token": "...", + "token_type": "Bearer", + "expires_in": 360, + "some_data": "some_value" +} +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/models/identity-resource.md b/astro/src/content/docs/identityserver/reference/v7/models/identity-resource.md new file mode 100644 index 000000000..ee0f8d0c7 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/identity-resource.md @@ -0,0 +1,64 @@ +--- +title: "Identity Resource" +description: "Reference documentation for the IdentityResource class which models an identity resource in Duende IdentityServer, including standard and custom identity resources and their properties." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 20 +redirect_from: + - /identityserver/v7/reference/models/identity_resource/ +--- + +## Duende.IdentityServer.Models.IdentityResource + +This class models an identity resource. + +```csharp +public static readonly IEnumerable IdentityResources = + new[] + { + // some standard scopes from the OIDC spec + new IdentityResources.OpenId(), + new IdentityResources.Profile(), + new IdentityResources.Email(), + + // custom identity resource with some associated claims + new IdentityResource("custom.profile", + userClaims: new[] { JwtClaimTypes.Name, JwtClaimTypes.Email, "location", JwtClaimTypes.Address }) + }; +``` + +* **`Enabled`** + + Indicates if this resource is enabled and can be requested. Defaults to true. + +* **`Name`** + + The unique name of the identity resource. This is the value a client will use for the scope parameter in the authorize + request. + +* **`DisplayName`** + + This value will be used e.g. on the consent screen. + +* **`Description`** + + This value will be used e.g. on the consent screen. + +* **`Required`** + + Specifies whether the user can de-select the scope on the consent screen (if the consent screen wants to implement + such a feature). + Defaults to false. + +* **`Emphasize`** + + Specifies whether the consent screen will emphasize this scope (if the consent screen wants to implement such a + feature). Use this setting for sensitive or important scopes. Defaults to false. + +* **`ShowInDiscoveryDocument`** + + Specifies whether this scope is shown in the discovery document. Defaults to `true`. + +* **`UserClaims`** + + List of associated user claim types that should be included in the identity token. diff --git a/astro/src/content/docs/identityserver/reference/v7/models/idp.md b/astro/src/content/docs/identityserver/reference/v7/models/idp.md new file mode 100644 index 000000000..dc8cd377c --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/idp.md @@ -0,0 +1,84 @@ +--- +title: "Identity Provider" +description: "Reference documentation for identity provider models in Duende IdentityServer, including OidcProvider for external OpenID Connect providers, IdentityProviderName, and the base IdentityProvider class." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 35 +redirect_from: + - /identityserver/v7/reference/models/idp/ +--- + +## Duende.IdentityServer.Models.OidcProvider + +The `OidcProvider` models an external OpenID Connect provider for use in +the [dynamic providers](/identityserver/ui/login/dynamicproviders.md) feature. +Its properties map to the Open ID Connect options class from ASP.NET Core, and those properties include: + +* **`Enabled`** + + Specifies if provider is enabled. Defaults to `true`. + +* **`Scheme`** + + Scheme name for the provider. + +* **`DisplayName`** + + Display name for the provider. + +* **`Type`** + + Protocol type of the provider. Defaults to `"oidc"` for the `OidcProvider`. + +* **`Authority`** + + The base address of the OIDC provider. + +* **`ResponseType`** + + The response type. Defaults to `"id_token"`. + +* **`ClientId`** + + The client id. + +* **`ClientSecret`** + + The client secret. By default, this is the plaintext client secret and great consideration should be taken if this + value is to be stored as plaintext in the store. It is possible to store this in a protected way and then unprotect + when loading from the store either by implementing a custom `IIdentityProviderStore` or registering a custom + `IConfigureNamedOptions`. + +* **`Scope`** + + Space separated list of scope values. + +* **`GetClaimsFromUserInfoEndpoint`** + + Indicates if userinfo endpoint is to be contacted. Defaults to true. + +* **`UsePkce`** + + Indicates if PKCE should be used. Defaults to true. + +#### Duende.IdentityServer.Models.IdentityProviderName + +The `IdentityProviderName` models the display name of an identity provider. + +* **`Enabled`** + + Specifies if provider is enabled. Defaults to `true`. + +* **`Scheme`** + + Scheme name for the provider. + +* **`DisplayName`** + + Display name for the provider. + +#### Duende.IdentityServer.Models.IdentityProvider + +The `IdentityProvider` is a base class to model arbitrary identity providers, which `OidcProvider` derives from. +This leaves open the possibility for extensions to the dynamic provider feature to support other protocol types (as +distinguished by the `Type` property). diff --git a/astro/src/content/docs/identityserver/reference/v7/models/license-usage-summary.md b/astro/src/content/docs/identityserver/reference/v7/models/license-usage-summary.md new file mode 100644 index 000000000..cd4b25c47 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/license-usage-summary.md @@ -0,0 +1,94 @@ +--- +title: "License Usage Summary" +description: "Reference documentation for the LicenseUsageSummary class which provides detailed information about clients, issuers, and features used in Duende IdentityServer for self-auditing and license compliance." +date: 2025-01-07T12:00:00+02:00 +sidebar: + order: 90 + badge: + text: v7.1 + variant: tip +redirect_from: + - /identityserver/v7/reference/models/license_usage_summary/ +--- + +## Duende.IdentityServer.Licensing.LicenseUsageSummary + +Added in 7.1 + +The `LicenseUsageSummary` class allows developers to get a +detailed summary of clients, issuers, and features used +during the lifetime of an active .NET application for self-auditing +purposes. + +* **`LicenseEdition`** + + Indicates the current IdentityServer instance's license edition. + +* **`ClientsUsed`** + + A `string` collection of clients used with the current IdentityServer instance. + +* **`IssuersUsed`** + + A `string` collection of issuers used with the current IdentityServer instance. + +* **`FeaturesUsed`** + + A `string` collection of features has been used since the IdentityServer instance ran. + +## Register LicenseUsageSummary Services + +To make the `LicenseUsageSummary` class available in your application, you'll need to make sure it is registered in the service collection at startup. +You can do this by calling the `AddLicenseSummary()` extension method when registering IdentityServer: + +```csharp +// Program.cs +builder.Services.AddIdentityServer() + .AddLicenseSummary(); +``` + +## Using LicenseUsageSummary with .NET Lifetime Events + +In .NET, an [`IHost`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.extensions.hosting.ihostapplicationlifetime) +implementation allows developers to subscribe to application +lifetime events, including **Application Started**, **Application Stopped**, +and **Application Stopping**. IdentityServer tracks usage metrics internally +and that information may be accessed by developers at any time during the application's lifetime +from the application's service collection using the following code snippet. + +```csharp +// from a valid services scope +app.Services.GetRequiredService(); +``` + +For self-auditing purposes, we recommend using the `IHost` lifetime event `ApplicationStopping` as shown +in the example below. + +Note, `LicenseUsageSummary` is *`read-only`*. + +```csharp +app.Lifetime.ApplicationStopping.Register(() => +{ + var usage = app.Services.GetRequiredService(); + // Todo: Substitue a different logging mechanism + Console.Write(Summary(usage)); +}); +``` + +Developers may also use common dependency injection techniques +such as property or constructor injection. + +```csharp +// An ASP.NET Core MVC Controller +public class MyController : Controller +{ + public MyController(LicenseUsageSummary summary) + { + // use the summary information + } +} +``` + +Developers can use the license usage summary to determine if their organization is +within their current licensing tier or if they need to make adjustments to +stay within compliance of [Duende licensing terms](https://duendesoftware.com/products/identityserver). diff --git a/astro/src/content/docs/identityserver/reference/v7/models/secrets.md b/astro/src/content/docs/identityserver/reference/v7/models/secrets.md new file mode 100644 index 000000000..a2a96930b --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/models/secrets.md @@ -0,0 +1,105 @@ +--- +title: "Secrets" +description: "Reference documentation for secret handling in Duende IdentityServer, including the ISecretParser interface for extracting secrets from HTTP requests, the ParsedSecret class, and the ISecretValidator interface." +date: 2020-09-10T08:22:12+02:00 +sidebar: + order: 70 +redirect_from: + - /identityserver/v7/reference/models/secrets/ +--- + +## Duende.IdentityServer.Validation.ISecretParser + +Parses a secret from the raw HTTP request. + +```csharp +public interface ISecretParser +{ + /// + /// Tries to find a secret on the context that can be used for authentication + /// + /// The HTTP context. + /// A parsed secret + Task ParseAsync(HttpContext context); + + /// + /// Returns the authentication method name that this parser implements + /// + /// The authentication method. + string AuthenticationMethod { get; } +} +``` + +* **`AuthenticationMethod`** + + The name of the authentication method that this parser registers for. This value must be unique and will be displayed + in the discovery document. + +* **`ParseAsync`** + + The job of this method is to extract the secret from the HTTP request and parse it into a `ParsedSecret` + +#### Duende.IdentityServer.Model.ParsedSecret + +Represents a parsed secret. + +```csharp +/// +/// Represents a secret extracted from the HttpContext +/// +public class ParsedSecret +{ + /// + /// Gets or sets the identifier associated with this secret + /// + /// + /// The identifier. + /// + public string Id { get; set; } + + /// + /// Gets or sets the credential to verify the secret + /// + /// + /// The credential. + /// + public object Credential { get; set; } + + /// + /// Gets or sets the type of the secret + /// + /// + /// The type. + /// + public string Type { get; set; } + + /// + /// Gets or sets additional properties. + /// + /// + /// The properties. + /// + public Dictionary Properties { get; set; } = new Dictionary(); +} +``` + +The parsed secret is forwarded to the registered secret validator. The validator will typically inspect the `Type` +property to determine if this secret is something that can be validated by that validator instance. If yes, it will know +how to cast the `Credential` object into a format that is understood. + +#### Duende.IdentityServer.Validation.ISecretParser + +Validates a parsed secret. + +```csharp +public interface ISecretValidator +{ + /// Validates a secret + /// The stored secrets. + /// The received secret. + /// A validation result + Task ValidateAsync( + IEnumerable secrets, + ParsedSecret parsedSecret); +} +``` diff --git a/astro/src/content/docs/identityserver/reference/options.md b/astro/src/content/docs/identityserver/reference/v7/options.md similarity index 99% rename from astro/src/content/docs/identityserver/reference/options.md rename to astro/src/content/docs/identityserver/reference/v7/options.md index f9100bbdb..00e56a57d 100644 --- a/astro/src/content/docs/identityserver/reference/options.md +++ b/astro/src/content/docs/identityserver/reference/v7/options.md @@ -5,10 +5,6 @@ sidebar: label: Options order: 10 redirect_from: - - /identityserver/v5/reference/options/ - - /identityserver/v5/reference/ - - /identityserver/v6/reference/options/ - - /identityserver/v6/reference/ - /identityserver/v7/reference/options/ - /identityserver/v7/reference/ --- @@ -776,7 +772,7 @@ Note that preview features can be removed and may break in future releases. #### Discovery Document Cache In large deployments of Duende IdentityServer, where a lot of concurrent users attempt to -consume the [discovery endpoint](/identityserver/reference/endpoints/discovery.md) to retrieve +consume the [discovery endpoint](/identityserver/reference/v7/endpoints/discovery.md) to retrieve metadata about your IdentityServer, you can increase throughput by enabling the discovery document cache preview using the _`EnableDiscoveryDocumentCache`_ flag. This will cache discovery document information for the duration specified in the diff --git a/astro/src/content/docs/identityserver/reference/response-handling/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/response-handling/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/response-handling/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/response-handling/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/v7/response-handling/authorize-interaction-response-generator.md b/astro/src/content/docs/identityserver/reference/v7/response-handling/authorize-interaction-response-generator.md new file mode 100644 index 000000000..5dc15b402 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/response-handling/authorize-interaction-response-generator.md @@ -0,0 +1,63 @@ +--- +title: "Authorize Interaction Response Generator" +description: Documentation for the IAuthorizeInteractionResponseGenerator interface which determines if a user must log in or consent when making requests to the authorization endpoint. +sidebar: + order: 10 +redirect_from: + - /identityserver/v7/reference/response_handling/authorize_interaction_response_generator/ +--- + +#### Duende.IdentityServer.ResponseHandling.IAuthorizeInteractionResponseGenerator + +The `IAuthorizeInteractionResponseGenerator` interface models the logic for determining if user must log in or consent +when making requests to the authorization endpoint. + +:::note +If a custom implementation of `IAuthorizeInteractionResponseGenerator` is desired, then +it's [recommended](/identityserver/ui/custom.md#built-in-authorizeinteractionresponsegenerator) to derive from the +built-in `AuthorizeInteractionResponseGenerator` to inherit all the default logic pertaining to log in and consent +semantics. +::: + +## IAuthorizeInteractionResponseGenerator APIs + +* **`ProcessInteractionAsync`** + + Returns the `InteractionResponse` based on the `ValidatedAuthorizeRequest` an and optional `ConsentResponse` if the + user was shown a consent page. + +## InteractionResponse + +* **`IsLogin`** + + Specifies if the user must log in. + +* **`IsConsent`** + + Specifies if the user must consent. + +* **`IsCreateAccount`** + + Added in `v6.3`. + + Specifies if the user must create an account. + +* **`IsError`** + + Specifies if the user must be shown an error page. + +* **`Error`** + + The error to display on the error page. + +* **`ErrorDescription`** + + The description of the error to display on the error page. + +* **`IsRedirect`** + + Specifies if the user must be redirected to a custom page for custom processing. + +* **`RedirectUrl`** + + The URL for the redirect to the page for custom processing. diff --git a/astro/src/content/docs/identityserver/reference/v7/response-handling/http-response-writer.md b/astro/src/content/docs/identityserver/reference/v7/response-handling/http-response-writer.md new file mode 100644 index 000000000..301fe7a47 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/response-handling/http-response-writer.md @@ -0,0 +1,47 @@ +--- +title: "IHttpResponseWriter" +description: Documentation for the IHttpResponseWriter interface, a low-level abstraction for customizing serialization, encoding, and HTTP headers in protocol endpoint responses. +sidebar: + order: 100 +redirect_from: + - /identityserver/v7/reference/response_handling/http_response_writer/ +--- + +The `IHttpResponseWriter` interface is the contract for services that can produce HTTP responses for `IEndpointResult`s. +This is a low-level abstraction that is intended to be used if you need to customize the serialization, encoding, or +HTTP headers in a response from a protocol endpoint. + +#### Duende.IdentityServer.Hosting.IHttpResponseWriter + +```csharp +/// +/// Contract for a service that writes appropriate http responses for objects. +/// +public interface IHttpResponseWriter + where T : IEndpointResult +{ + /// + /// Writes the endpoint result to the HTTP response. + /// + Task WriteHttpResponse(T result, HttpContext context); +} +``` + +#### Duende.IdentityServer.Hosting.IEndpointResult + +```csharp +/// +/// An is the object model that describes the +/// results that will returned by one of the protocol endpoints provided by +/// IdentityServer, and can be executed to produce an HTTP response. +/// +public interface IEndpointResult +{ + /// + /// Executes the result to write an http response. + /// + /// The HTTP context. + Task ExecuteAsync(HttpContext context); +} +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/response-handling/index.md b/astro/src/content/docs/identityserver/reference/v7/response-handling/index.md new file mode 100644 index 000000000..8f077f5be --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/response-handling/index.md @@ -0,0 +1,13 @@ +--- +title: Response Generators +description: An overview of IdentityServer's response generation pattern and customization options for protocol endpoint responses. +sidebar: + order: 1 + label: Overview +redirect_from: + - /identityserver/v7/reference/response_handling/ +--- + +IdentityServer's endpoints follow a pattern of abstraction in which a response generator uses a validated input model to produce a response model. The response model is a type that represents the data that will be returned from the endpoint. The response model is then wrapped in a result model, which is a type that facilitates serialization by an implementation of `IHttpResponseWriter`. + +Customization of protocol endpoint responses is possible in both the response generators and response writers. Response generator customization is appropriate when you want to change the "business logic" of an endpoint and is typically accomplished by overriding virtual methods in the default response generator. Response writer customization is appropriate when you want to change the serialization, encoding, or headers of the HTTP response and is accomplished by registering a custom implementation of the `IHttpResponseWriter`. diff --git a/astro/src/content/docs/identityserver/reference/response-handling/token_response_generator.md b/astro/src/content/docs/identityserver/reference/v7/response-handling/token_response_generator.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/response-handling/token_response_generator.md rename to astro/src/content/docs/identityserver/reference/v7/response-handling/token_response_generator.md index 53e7e81f3..c57094351 100644 --- a/astro/src/content/docs/identityserver/reference/response-handling/token_response_generator.md +++ b/astro/src/content/docs/identityserver/reference/v7/response-handling/token_response_generator.md @@ -4,7 +4,6 @@ description: Documentation for the ITokenResponseGenerator interface and its imp sidebar: order: 20 redirect_from: - - /identityserver/v6/reference/response_handling/token_response_generator/ - /identityserver/v7/reference/response_handling/token_response_generator/ --- diff --git a/astro/src/content/docs/identityserver/reference/services/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/services/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/services/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/services/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/services/ciba-interaction-service.md b/astro/src/content/docs/identityserver/reference/v7/services/ciba-interaction-service.md similarity index 90% rename from astro/src/content/docs/identityserver/reference/services/ciba-interaction-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/ciba-interaction-service.md index bbad8da93..d873b5c72 100644 --- a/astro/src/content/docs/identityserver/reference/services/ciba-interaction-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/ciba-interaction-service.md @@ -5,8 +5,6 @@ sidebar: label: Backchannel Authentication Interaction order: 80 redirect_from: - - /identityserver/v5/reference/services/ciba_interaction_service/ - - /identityserver/v6/reference/services/ciba_interaction_service/ - /identityserver/v7/reference/services/ciba_interaction_service/ --- @@ -21,12 +19,12 @@ MVC controllers for the user interface of IdentityServer. * **`GetPendingLoginRequestsForCurrentUserAsync`** - Returns a collection of [BackchannelUserLoginRequest](/identityserver/reference/models/ciba-login-request.md) objects + Returns a collection of [BackchannelUserLoginRequest](/identityserver/reference/v7/models/ciba-login-request.md) objects which represent pending login requests for the current user. * **`GetLoginRequestByInternalIdAsync`** - Returns the [BackchannelUserLoginRequest](/identityserver/reference/models/ciba-login-request.md) object for the id. + Returns the [BackchannelUserLoginRequest](/identityserver/reference/v7/models/ciba-login-request.md) object for the id. * **`CompleteLoginRequestAsync`** diff --git a/astro/src/content/docs/identityserver/reference/services/ciba-user-notification.md b/astro/src/content/docs/identityserver/reference/v7/services/ciba-user-notification.md similarity index 79% rename from astro/src/content/docs/identityserver/reference/services/ciba-user-notification.md rename to astro/src/content/docs/identityserver/reference/v7/services/ciba-user-notification.md index 85bdf7a59..7a0f4e79e 100644 --- a/astro/src/content/docs/identityserver/reference/services/ciba-user-notification.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/ciba-user-notification.md @@ -5,8 +5,6 @@ sidebar: label: Backchannel Authentication User Notification order: 90 redirect_from: - - /identityserver/v5/reference/services/ciba_user_notification/ - - /identityserver/v6/reference/services/ciba_user_notification/ - /identityserver/v7/reference/services/ciba_user_notification/ --- @@ -21,4 +19,4 @@ To use CIBA, you are expected to implement this interface and register it in the * **`SendLoginRequestAsync`** Sends a notification for the user to login via - the [BackchannelUserLoginRequest](/identityserver/reference/models/ciba-login-request.md) parameter. + the [BackchannelUserLoginRequest](/identityserver/reference/v7/models/ciba-login-request.md) parameter. diff --git a/astro/src/content/docs/identityserver/reference/services/device-flow-interaction-service.md b/astro/src/content/docs/identityserver/reference/v7/services/device-flow-interaction-service.md similarity index 90% rename from astro/src/content/docs/identityserver/reference/services/device-flow-interaction-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/device-flow-interaction-service.md index d9f49a80a..cf17287a8 100644 --- a/astro/src/content/docs/identityserver/reference/services/device-flow-interaction-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/device-flow-interaction-service.md @@ -6,8 +6,6 @@ sidebar: label: Device Flow Interaction order: 65 redirect_from: - - /identityserver/v5/reference/services/device_flow_interaction_service/ - - /identityserver/v6/reference/services/device_flow_interaction_service/ - /identityserver/v7/reference/services/device_flow_interaction_service/ --- diff --git a/astro/src/content/docs/identityserver/reference/services/interaction-service.md b/astro/src/content/docs/identityserver/reference/v7/services/interaction-service.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/services/interaction-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/interaction-service.md index 71aff40f9..c3e95d924 100644 --- a/astro/src/content/docs/identityserver/reference/services/interaction-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/interaction-service.md @@ -6,8 +6,6 @@ sidebar: label: IdentityServer Interaction order: 60 redirect_from: - - /identityserver/v5/reference/services/interaction_service/ - - /identityserver/v6/reference/services/interaction_service/ - /identityserver/v7/reference/services/interaction_service/ --- @@ -208,7 +206,7 @@ The above methods return various models. Optional description the user can set for the grant (e.g. the name of the device being used when consent is given). This can be presented back to the user from - the [persisted grant service](/identityserver/reference/services/persisted-grant-service.md). + the [persisted grant service](/identityserver/reference/v7/services/persisted-grant-service.md). * **`Error`** diff --git a/astro/src/content/docs/identityserver/reference/services/persisted-grant-service.md b/astro/src/content/docs/identityserver/reference/v7/services/persisted-grant-service.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/services/persisted-grant-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/persisted-grant-service.md index 02226e6a5..88a28c6a5 100644 --- a/astro/src/content/docs/identityserver/reference/services/persisted-grant-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/persisted-grant-service.md @@ -5,8 +5,6 @@ sidebar: label: Persisted Grant order: 43 redirect_from: - - /identityserver/v5/reference/services/persisted_grant_service/ - - /identityserver/v6/reference/services/persisted_grant_service/ - /identityserver/v7/reference/services/persisted_grant_service/ --- diff --git a/astro/src/content/docs/identityserver/reference/services/profile-service.md b/astro/src/content/docs/identityserver/reference/v7/services/profile-service.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/services/profile-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/profile-service.md index 234c17b64..8c423f5d0 100644 --- a/astro/src/content/docs/identityserver/reference/services/profile-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/profile-service.md @@ -6,11 +6,7 @@ sidebar: label: Profile order: 40 redirect_from: - - /identityserver/v5/reference/services/ - - /identityserver/v6/reference/services/ - /identityserver/v7/reference/services/ - - /identityserver/v5/reference/services/profile_service/ - - /identityserver/v6/reference/services/profile_service/ - /identityserver/v7/reference/services/profile_service/ --- diff --git a/astro/src/content/docs/identityserver/reference/services/refresh-token-service.md b/astro/src/content/docs/identityserver/reference/v7/services/refresh-token-service.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/services/refresh-token-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/refresh-token-service.md index 0ec3697a1..c18f6dca1 100644 --- a/astro/src/content/docs/identityserver/reference/services/refresh-token-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/refresh-token-service.md @@ -5,8 +5,6 @@ sidebar: label: Refresh Token order: 50 redirect_from: - - /identityserver/v5/reference/services/refresh_token_service/ - - /identityserver/v6/reference/services/refresh_token_service/ - /identityserver/v7/reference/services/refresh_token_service/ --- diff --git a/astro/src/content/docs/identityserver/reference/services/session-management-service.md b/astro/src/content/docs/identityserver/reference/v7/services/session-management-service.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/services/session-management-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/session-management-service.md index 22f36193f..90ecf7c54 100644 --- a/astro/src/content/docs/identityserver/reference/services/session-management-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/session-management-service.md @@ -5,8 +5,6 @@ sidebar: label: Session Management order: 57 redirect_from: - - /identityserver/v5/reference/services/session_management_service/ - - /identityserver/v6/reference/services/session_management_service/ - /identityserver/v7/reference/services/session_management_service/ --- diff --git a/astro/src/content/docs/identityserver/reference/v7/services/token-creation-service.md b/astro/src/content/docs/identityserver/reference/v7/services/token-creation-service.md new file mode 100644 index 000000000..eef23cb25 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/services/token-creation-service.md @@ -0,0 +1,83 @@ +--- +title: "Token Creation Service" +description: Documentation for the ITokenCreationService interface which is responsible for creating security tokens by converting Token models into JWTs with customization options. +sidebar: + label: Token Creation + order: 50 +redirect_from: + - /identityserver/v7/reference/services/token_creation_service/ +--- + +IdentityServer uses an `ITokenCreationService` which is responsible for the creation +of tokens, with the default implementation of `DefaultTokenCreationService`. + +```csharp +/// +/// Logic for creating security tokens +/// +public interface ITokenCreationService +{ + /// + /// Creates a token. + /// + /// The token description. + /// The cancellation token. + /// A protected and serialized security token + Task CreateTokenAsync(Token token, CancellationToken ct); +} +``` + +The Token creation service takes the `Token` model and converts it into +a JWT. During the JWT creation, you have one last opportunity to +modify the `Token` by adding, removing, or altering property values. Common use cases +for implementing the `ITokenCreationService` include modifying claims, audiences, and more +from a secondary data source, such as a profile service, database, or third-party service +when other approaches are not an option. + +Note that there are better places within IdentityServer's infrastructure to add +additional claims, such as `IClaimService`, `ITokenService`, and [`IProfileService`](/identityserver/reference/v7/services/profile-service.md). +We recommend investigating whether overriding those interfaces would be enough +before implementing `ITokenCreationService`. + +You can think of each of the services as providing the following functionality: + +- `ITokenCreationService` : Serialization of the `Token` model into a JWT +- `ITokenService`: Building the `Token` model +- `IClaimsService`: Customizing claims on the Token +- `IProfileService`: User-centric profile data used in the Token and UserInfo endpoint + +If, after research, you have still decided to implement `ITokenCreationService`, we recommend you +inherit and override methods on `DefaultTokenCreationService`, specifically the `CreatePayloadAsync` method. + +:::caution +Do not overload your tokens with large amounts of data, as it can lead to large JWTs and adversely affect system +performance. +::: + +```csharp +public class CustomTokenCreationService : DefaultTokenCreationService +{ + public CustomTokenCreationService(TimeProvider timeProvider, + IKeyMaterialService keys, + IdentityServerOptions options, + ILogger logger) + : base(timeProvider, keys, options, logger) + { + } + + protected override Task CreatePayloadAsync(Token token) + { + token.Audiences.Add("custom1"); + return base.CreatePayloadAsync(token); + } +} +``` + +After creating your new implementation, register the type in your application's service collection. + +```csharp +// Program.cs +builder.Services.AddTransient(); +``` + +IdentityServer will begin to use your new implementation in place of `DefaultTokenCreationService`. diff --git a/astro/src/content/docs/identityserver/reference/services/user-session-service.md b/astro/src/content/docs/identityserver/reference/v7/services/user-session-service.md similarity index 59% rename from astro/src/content/docs/identityserver/reference/services/user-session-service.md rename to astro/src/content/docs/identityserver/reference/v7/services/user-session-service.md index fec0b44f3..59444c001 100644 --- a/astro/src/content/docs/identityserver/reference/services/user-session-service.md +++ b/astro/src/content/docs/identityserver/reference/v7/services/user-session-service.md @@ -5,11 +5,7 @@ sidebar: label: User Session order: 55 redirect_from: - - /identityserver/v5/reference/services/user_sesion_service/ - - /identityserver/v6/reference/services/user_sesion_service/ - /identityserver/v7/reference/services/user_sesion_service/ - - /identityserver/v5/reference/services/user_session_service/ - - /identityserver/v6/reference/services/user_session_service/ - /identityserver/v7/reference/services/user_session_service/ --- @@ -34,15 +30,15 @@ client list in the authentication properties. #### Members -| name | description | -|---------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Task CreateSessionIdAsync(ClaimsPrincipal principal, AuthenticationProperties properties) | Creates a session id and issues the session id cookie. | -| Task GetUserAsync() | Gets the current authenticated user. | -| Task GetSessionIdAsync() | Gets the current session identifier. | -| Task EnsureSessionIdCookieAsync() | Ensures the session identifier cookie is synchronized with the current session identifier. | -| Task RemoveSessionIdCookieAsync() | Removes the session identifier cookie. | -| Task AddClientIdAsync(string clientId) | Adds a client to the list of clients the user has signed into during their session. | -| Task> GetClientListAsync() | Gets the list of clients the user has signed into during their session. | +| name | description | +|-----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| +| `Task CreateSessionIdAsync(ClaimsPrincipal principal, AuthenticationProperties properties)` | Creates a session id and issues the session id cookie. | +| `Task GetUserAsync()` | Gets the current authenticated user. | +| `Task GetSessionIdAsync()` | Gets the current session identifier. | +| `Task EnsureSessionIdCookieAsync()` | Ensures the session identifier cookie is synchronized with the current session identifier. | +| `Task RemoveSessionIdCookieAsync()` | Removes the session identifier cookie. | +| `Task AddClientIdAsync(string clientId)` | Adds a client to the list of clients the user has signed into during their session. | +| `Task> GetClientListAsync()` | Gets the list of clients the user has signed into during their session. | #### GetUserAsync diff --git a/astro/src/content/docs/identityserver/reference/stores/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/stores/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/stores/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/stores/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/stores/backchannel-auth-request-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/backchannel-auth-request-store.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/stores/backchannel-auth-request-store.md rename to astro/src/content/docs/identityserver/reference/v7/stores/backchannel-auth-request-store.md index 3b6c975bf..fc37c6658 100644 --- a/astro/src/content/docs/identityserver/reference/stores/backchannel-auth-request-store.md +++ b/astro/src/content/docs/identityserver/reference/v7/stores/backchannel-auth-request-store.md @@ -5,8 +5,6 @@ sidebar: label: Backchannel Authentication Request order: 80 redirect_from: - - /identityserver/v5/reference/stores/backchannel_auth_request_store/ - - /identityserver/v6/reference/stores/backchannel_auth_request_store/ - /identityserver/v7/reference/stores/backchannel_auth_request_store/ --- diff --git a/astro/src/content/docs/identityserver/reference/v7/stores/client-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/client-store.md new file mode 100644 index 000000000..93042c57d --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/stores/client-store.md @@ -0,0 +1,28 @@ +--- +title: "Client Store" +description: Documentation for the IClientStore interface which is used to dynamically load client configuration by client ID. +sidebar: + label: Client + order: 36 +redirect_from: + - /identityserver/v7/reference/stores/client_store/ +--- + +#### Duende.IdentityServer.Stores.IClientStore + +Used to dynamically load client configuration. + +```csharp +/// +/// Retrieval of client configuration +/// +public interface IClientStore +{ + /// + /// Finds a client by id + /// + /// The client id + /// The client + Task FindClientByIdAsync(string clientId); +} +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/stores/cors-policy-service.md b/astro/src/content/docs/identityserver/reference/v7/stores/cors-policy-service.md new file mode 100644 index 000000000..b22a6b5bd --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/stores/cors-policy-service.md @@ -0,0 +1,29 @@ +--- +title: "CORS Policy Service" +description: Documentation for the ICorsPolicyService interface which determines if CORS requests from specific origins are allowed to access protocol endpoints. +sidebar: + label: CORS Policy + order: 36 +redirect_from: + - /identityserver/v7/reference/stores/cors_policy_service/ +--- + +#### Duende.IdentityServer.Stores.ICorsPolicyService + +Used to determine if CORS requests are allowed to certain protocol endpoints. + +```csharp +/// +/// Service that determines if CORS is allowed. +/// +public interface ICorsPolicyService +{ + /// + /// Determines whether origin is allowed. + /// + /// The origin. + /// The cancellation token. + /// + Task IsOriginAllowedAsync(string origin, CancellationToken ct); +} +``` diff --git a/astro/src/content/docs/identityserver/reference/v7/stores/device-flow-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/device-flow-store.md new file mode 100644 index 000000000..b7afa3a39 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/stores/device-flow-store.md @@ -0,0 +1,151 @@ +--- +title: "Device Flow Store" +description: Documentation for the IDeviceFlowStore interface which manages storage of authorization grants for the device flow authentication process. +sidebar: + label: Device Flow + order: 43 +redirect_from: + - /identityserver/v7/reference/stores/device_flow_store/ +--- + +#### Duende.IdentityServer.Stores.IDeviceFlowStore + +Models storage of grants for the device flow. + +```csharp +/// +/// Interface for the device flow store +/// +public interface IDeviceFlowStore +{ + /// + /// Stores the device authorization request. + /// + /// The device code. + /// The user code. + /// The data. + /// The cancellation token. + /// + Task StoreDeviceAuthorizationAsync(string deviceCode, string userCode, DeviceCode data, CancellationToken ct); + + /// + /// Finds device authorization by user code. + /// + /// The user code. + /// The cancellation token. + /// + Task FindByUserCodeAsync(string userCode, CancellationToken ct); + + /// + /// Finds device authorization by device code. + /// + /// The device code. + /// The cancellation token. + Task FindByDeviceCodeAsync(string deviceCode, CancellationToken ct); + + /// + /// Updates device authorization, searching by user code. + /// + /// The user code. + /// The data. + /// The cancellation token. + Task UpdateByUserCodeAsync(string userCode, DeviceCode data, CancellationToken ct); + + /// + /// Removes the device authorization, searching by device code. + /// + /// The device code. + /// The cancellation token. + Task RemoveByDeviceCodeAsync(string deviceCode, CancellationToken ct); +} +``` + +#### DeviceCode + +```csharp +/// +/// Represents data needed for device flow. +/// +public class DeviceCode +{ + /// + /// Gets or sets the creation time. + /// + /// + /// The creation time. + /// + public DateTime CreationTime { get; set; } + + /// + /// Gets or sets the lifetime. + /// + /// + /// The lifetime. + /// + public int Lifetime { get; set; } + + /// + /// Gets or sets the client identifier. + /// + /// + /// The client identifier. + /// + public string ClientId { get; set; } + + /// + /// Gets the description the user assigned to the device being authorized. + /// + /// + /// The description. + /// + public string Description { get; set; } + + /// + /// Gets or sets a value indicating whether this instance is open identifier. + /// + /// + /// true if this instance is open identifier; otherwise, false. + /// + public bool IsOpenId { get; set; } + + /// + /// Gets or sets a value indicating whether this instance is authorized. + /// + /// + /// true if this instance is authorized; otherwise, false. + /// + public bool IsAuthorized { get; set; } + + /// + /// Gets or sets the requested scopes. + /// + /// + /// The authorized scopes. + /// + public IEnumerable RequestedScopes { get; set; } + + /// + /// Gets or sets the authorized scopes. + /// + /// + /// The authorized scopes. + /// + public IEnumerable AuthorizedScopes { get; set; } + + /// + /// Gets or sets the subject. + /// + /// + /// The subject. + /// + public ClaimsPrincipal Subject { get; set; } + + /// + /// Gets or sets the session identifier. + /// + /// + /// The session identifier. + /// + public string SessionId { get; set; } +} +``` diff --git a/astro/src/content/docs/identityserver/reference/stores/idp-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/idp-store.md similarity index 90% rename from astro/src/content/docs/identityserver/reference/stores/idp-store.md rename to astro/src/content/docs/identityserver/reference/v7/stores/idp-store.md index d9a0aa204..81e9d2eea 100644 --- a/astro/src/content/docs/identityserver/reference/stores/idp-store.md +++ b/astro/src/content/docs/identityserver/reference/v7/stores/idp-store.md @@ -5,14 +5,12 @@ sidebar: label: Identity Provider order: 36 redirect_from: - - /identityserver/v5/reference/stores/idp_store/ - - /identityserver/v6/reference/stores/idp_store/ - /identityserver/v7/reference/stores/idp_store/ --- #### Duende.IdentityServer.Stores.IIdentityProviderStore -Used to dynamically load [identity provider configuration](/identityserver/reference/models/idp.md). +Used to dynamically load [identity provider configuration](/identityserver/reference/v7/models/idp.md). ```csharp /// diff --git a/astro/src/content/docs/identityserver/reference/v7/stores/index.md b/astro/src/content/docs/identityserver/reference/v7/stores/index.md new file mode 100644 index 000000000..516931c52 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/stores/index.md @@ -0,0 +1,24 @@ +--- +title: Stores +description: An overview of IdentityServer's persistence layer abstractions that manage configuration and operational data for authentication and authorization processes. +date: 2020-09-10T08:20:20+02:00 +sidebar: + label: Overview + order: 1 +redirect_from: + - /identityserver/v7/reference/stores/ +--- + +Stores in IdentityServer are the persistence layer abstractions responsible for managing various types of data needed +for the authentication and authorization processes. They provide interfaces to store and retrieve configuration and +operational data. + +Common types of stores include: + +* Client store - manages client application registrations +* Resource store - handles API resources and scopes +* Persisted grant store - maintains operational data like authorization codes and refresh tokens +* User store - manages user authentication data (typically integrated with ASP.NET Identity) + +IdentityServer provides default in-memory implementations of these stores for development scenarios, and extensibility +points to implement custom stores using various database technologies for production environments. diff --git a/astro/src/content/docs/identityserver/reference/stores/persisted-grant-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/persisted-grant-store.md similarity index 97% rename from astro/src/content/docs/identityserver/reference/stores/persisted-grant-store.md rename to astro/src/content/docs/identityserver/reference/v7/stores/persisted-grant-store.md index ef741abd5..7016b3825 100644 --- a/astro/src/content/docs/identityserver/reference/stores/persisted-grant-store.md +++ b/astro/src/content/docs/identityserver/reference/v7/stores/persisted-grant-store.md @@ -5,8 +5,6 @@ sidebar: label: Persisted Grant order: 42 redirect_from: - - /identityserver/v5/reference/stores/persisted_grant_store/ - - /identityserver/v6/reference/stores/persisted_grant_store/ - /identityserver/v7/reference/stores/persisted_grant_store/ --- @@ -117,7 +115,7 @@ querying the grants and/or for informational purposes and should be treated as read-only. By default, the `Data` property is encrypted at rest using the ASP.NET Data -Protection API. The [`DataProtectData` option](/identityserver/reference/options.md#persistentgrants) can be used to +Protection API. The [`DataProtectData` option](/identityserver/reference/v7/options.md#persistentgrants) can be used to disable this encryption. @@ -129,10 +127,10 @@ Grants that expire set their `Expiration` when they are created as well. Consent records only expire if the `ConsentLifetime` property of the `Client` is set. By default, `ConsentLifetime` is not set and consent lasts until it is revoked. Authorization code records always include an `Expiration`. They expire after the -[`AuthorizationCodeLifetime`](/identityserver/reference/models/client.md#token) has +[`AuthorizationCodeLifetime`](/identityserver/reference/v7/models/client.md#token) has elapsed, so they are initialized with their `Expiration` set that far into the future. Reference token records expire in the same way, with their `Expiration` -controlled by the [`AccessTokenLifetime`](/identityserver/reference/models/client.md#token). Refresh token records also +controlled by the [`AccessTokenLifetime`](/identityserver/reference/v7/models/client.md#token). Refresh token records also always include `Expiration`, controlled by the `AbsoluteRefreshTokenLifetime` and `SlidingRefreshTokenLifetime` [client settings](/identityserver/tokens/refresh.md#sliding-expiration). Custom grant diff --git a/astro/src/content/docs/identityserver/reference/v7/stores/pushed-authorization-request-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/pushed-authorization-request-store.md new file mode 100644 index 000000000..424bf3ac1 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/stores/pushed-authorization-request-store.md @@ -0,0 +1,90 @@ +--- +title: "Pushed Authorization Request Store" +description: Interface for managing pushed authorization requests storage in OAuth PAR flow. +sidebar: + label: Pushed Authorization Request + order: 110 +redirect_from: + - /identityserver/v7/reference/stores/pushed_authorization_request_store/ +--- + +The pushed authorization request store is responsible for creating, retrieving, and +consuming pushed authorization requests. + +#### Duende.IdentityServer.Stores.IPushedAuthorizationRequestStore + +```csharp +/// +/// The interface for a service that stores pushed authorization requests. +/// +public interface IPushedAuthorizationRequestStore +{ + /// + /// Stores the pushed authorization request. + /// + /// The request. + /// The cancellation token. + /// + Task StoreAsync(PushedAuthorizationRequest pushedAuthorizationRequest, CancellationToken ct); + + /// + /// Consumes the pushed authorization request, indicating that it should not + /// be used again. Repeated use could indicate some form of replay attack, + /// but also could indicate that an end user refreshed their browser or + /// otherwise retried a request that consumed the pushed authorization + /// request. + /// + /// The hash of the reference value of the + /// pushed authorization request. The reference value is the identifier + /// within the request_uri parameter. + /// The cancellation token. + /// + Task ConsumeByHashAsync(string referenceValueHash, CancellationToken ct); + + /// + /// Gets the pushed authorization request. + /// + /// The hash of the reference value of the + /// pushed authorization request. The reference value is the identifier + /// within the request_uri parameter. + /// The cancellation token. + /// The pushed authorization request, or null if the request does + /// not exist or was previously consumed. + /// + Task GetByHashAsync(string referenceValueHash, CancellationToken ct); +} +``` + +#### Duende.IdentityServer.Models.PushedAuthorizationRequest + +```csharp +/// +/// Represents a persisted Pushed Authorization Request. +/// +public class PushedAuthorizationRequest +{ + /// + /// The hash of the identifier within this pushed request's request_uri + /// value. Request URIs that IdentityServer produces take the form + /// urn:ietf:params:oauth:request_uri:{ReferenceValue}. + /// + public string ReferenceValueHash { get; set; } + + /// + /// The UTC time at which this pushed request will expire. The Pushed + /// request will be used throughout the authentication process, beginning + /// when it is passed to the authorization endpoint by the client, and then + /// subsequently after user interaction, such as login and/or consent occur. + /// If the expiration time is exceeded before a response to the client can + /// be produced, IdentityServer will raise an error, and the user will be + /// redirected to the IdentityServer error page. + /// + + public DateTime ExpiresAtUtc { get; set; } + + /// + /// The data protected content of the pushed authorization request. + /// + public string Parameters { get; set; } +} +``` diff --git a/astro/src/content/docs/identityserver/reference/stores/resource-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/resource-store.md similarity index 92% rename from astro/src/content/docs/identityserver/reference/stores/resource-store.md rename to astro/src/content/docs/identityserver/reference/v7/stores/resource-store.md index 94d86d958..4954bbbdc 100644 --- a/astro/src/content/docs/identityserver/reference/stores/resource-store.md +++ b/astro/src/content/docs/identityserver/reference/v7/stores/resource-store.md @@ -5,8 +5,6 @@ sidebar: label: Resource order: 32 redirect_from: - - /identityserver/v5/reference/stores/resource_store/ - - /identityserver/v6/reference/stores/resource_store/ - /identityserver/v7/reference/stores/resource_store/ --- diff --git a/astro/src/content/docs/identityserver/reference/v7/stores/server-side-sessions.md b/astro/src/content/docs/identityserver/reference/v7/stores/server-side-sessions.md new file mode 100644 index 000000000..1165350c7 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/stores/server-side-sessions.md @@ -0,0 +1,228 @@ +--- +title: "Server-Side Session Store" +description: "Documentation for the IServerSideSessionStore interface and related models for managing server-side user authentication session data." +sidebar: + label: Server-Side Sessions + order: 100 +redirect_from: + - /identityserver/v7/reference/stores/server_side_sessions/ +--- + +#### Duende.IdentityServer.Stores.IServerSideSessionStore + +Used to persist users' authentication session data when using +the [server-side sessions feature](/identityserver/ui/server-side-sessions/index.md). + +```csharp +/// +/// User session store +/// +public interface IServerSideSessionStore +{ + /// + /// Retrieves a session + /// + Task GetSessionAsync(string key, CancellationToken ct); + + /// + /// Creates a session + /// + Task CreateSessionAsync(ServerSideSession session, CancellationToken ct); + + /// + /// Updates a session + /// + Task UpdateSessionAsync(ServerSideSession session, CancellationToken ct); + + /// + /// Deletes a session + /// + Task DeleteSessionAsync(string key, CancellationToken ct); + + /// + /// Gets sessions for a specific subject id and/or session id + /// + Task> GetSessionsAsync(SessionFilter filter, CancellationToken ct); + + /// + /// Deletes sessions for a specific subject id and/or session id + /// + Task DeleteSessionsAsync(SessionFilter filter, CancellationToken ct); + + /// + /// Removes and returns expired sessions + /// + Task> GetAndRemoveExpiredSessionsAsync(int count, CancellationToken ct); + + /// + /// Queries sessions based on filter + /// + Task> QuerySessionsAsync(CancellationToken ct, SessionQuery? filter = null); +} +``` + +#### ServerSideSession + +```csharp +/// +/// A user session +/// +public class ServerSideSession +{ + /// + /// The key + /// + public string Key { get; set; } = default!; + + /// + /// The cookie handler scheme + /// + public string Scheme { get; set; } = default!; + + /// + /// The subject ID + /// + public string SubjectId { get; set; } = default!; + + /// + /// The session ID + /// + public string SessionId { get; set; } = default!; + + /// + /// The display name for the user + /// + public string DisplayName { get; set; } + + /// + /// The creation time + /// + public DateTime Created { get; set; } + + /// + /// The renewal time + /// + public DateTime Renewed { get; set; } + + /// + /// The expiration time + /// + public DateTime? Expires { get; set; } + + /// + /// The serialized ticket + /// + public string Ticket { get; set; } = default!; +} +``` + +:::note +The `Ticket` property contains a copy of all the values (and more) and is considered authoritative by IdentityServer, +thus most of the other property values are considered informational and read-only. +::: + +#### SessionFilter + +```csharp +/// +/// Filter to query user sessions +/// +public class SessionFilter +{ + /// + /// The subject ID + /// + public string SubjectId { get; init; } + + /// + /// The sesion ID + /// + public string SessionId { get; init; } +} +``` + +#### SessionQuery + +```csharp +/// +/// Filter to query all user sessions +/// +public class SessionQuery +{ + /// + /// The token indicating the prior results. + /// + public string ResultsToken { get; set; } + + /// + /// If true, requests the previous set of results relative to the ResultsToken, otherwise requests the next set of results relative to the ResultsToken. + /// + public bool RequestPriorResults { get; set; } + + /// + /// The number requested to return + /// + public int CountRequested { get; set; } + + /// + /// The subject ID used to filter the results. + /// + public string SubjectId { get; init; } + + /// + /// The sesion ID used to filter the results. + /// + public string SessionId { get; init; } + + /// + /// The user display name used to filter the results. + /// + public string DisplayName { get; init; } +} +``` + +#### QueryResult + +```csharp +/// +/// Query result for paged data +/// +public class QueryResult +{ + /// + /// The token that indicates these results. This is used for more results in subsequent queries. + /// If null, then there were no more results. + /// + public string ResultsToken { get; init; } + + /// + /// True if there is a previous set of results. + /// + public bool HasPrevResults { get; set; } + + /// + /// True if there is another set of results. + /// + public bool HasNextResults { get; set; } + + /// + /// The total count (if available). + /// + public int? TotalCount { get; init; } + + /// + /// The total pages (if available). + /// + public int? TotalPages { get; init; } + + /// + /// The current (if available). + /// + public int? CurrentPage { get; init; } + + /// + /// The results. + /// + public IReadOnlyCollection Results { get; init; } = default!; +} +``` diff --git a/astro/src/content/docs/identityserver/reference/stores/signing-key-store.md b/astro/src/content/docs/identityserver/reference/v7/stores/signing-key-store.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/stores/signing-key-store.md rename to astro/src/content/docs/identityserver/reference/v7/stores/signing-key-store.md index 3fa7bc3e1..3017829a7 100644 --- a/astro/src/content/docs/identityserver/reference/stores/signing-key-store.md +++ b/astro/src/content/docs/identityserver/reference/v7/stores/signing-key-store.md @@ -5,8 +5,6 @@ sidebar: label: Signing Key order: 90 redirect_from: - - /identityserver/v5/reference/stores/signing_key_store/ - - /identityserver/v6/reference/stores/signing_key_store/ - /identityserver/v7/reference/stores/signing_key_store/ --- diff --git a/astro/src/content/docs/identityserver/reference/validators/_meta.yml b/astro/src/content/docs/identityserver/reference/v7/validators/_meta.yml similarity index 100% rename from astro/src/content/docs/identityserver/reference/validators/_meta.yml rename to astro/src/content/docs/identityserver/reference/v7/validators/_meta.yml diff --git a/astro/src/content/docs/identityserver/reference/validators/ciba-user-validator.md b/astro/src/content/docs/identityserver/reference/v7/validators/ciba-user-validator.md similarity index 94% rename from astro/src/content/docs/identityserver/reference/validators/ciba-user-validator.md rename to astro/src/content/docs/identityserver/reference/v7/validators/ciba-user-validator.md index 8dc5fe9f7..570dc454f 100644 --- a/astro/src/content/docs/identityserver/reference/validators/ciba-user-validator.md +++ b/astro/src/content/docs/identityserver/reference/v7/validators/ciba-user-validator.md @@ -5,8 +5,6 @@ sidebar: label: Backchannel Authentication User order: 30 redirect_from: - - /identityserver/v5/reference/validators/ciba_user_validator/ - - /identityserver/v6/reference/validators/ciba_user_validator/ - /identityserver/v7/reference/validators/ciba_user_validator/ --- diff --git a/astro/src/content/docs/identityserver/reference/v7/validators/custom-authorize-request-validator.md b/astro/src/content/docs/identityserver/reference/v7/validators/custom-authorize-request-validator.md new file mode 100644 index 000000000..fd0fc8945 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/validators/custom-authorize-request-validator.md @@ -0,0 +1,36 @@ +--- +title: "Custom Authorize Request Validator" +description: Documentation for the ICustomAuthorizeRequestValidator interface which allows inserting custom validation logic into the authorization request pipeline. +sidebar: + label: Custom Authorize Request + order: 10 +redirect_from: + - /identityserver/v7/reference/validators/ + - /identityserver/v7/reference/validators/custom_authorize_request_validator/ +--- + +#### Duende.IdentityServer.Validation.ICustomAuthorizeRequestValidator + +Allows running custom code as part of the authorization issuance pipeline at the authorization endpoint. + +```csharp +/// +/// Allows inserting custom validation logic into authorize requests +/// +public interface ICustomAuthorizeRequestValidator +{ + /// + /// Custom validation logic for the authorize request. + /// + /// The context. + Task ValidateAsync(CustomAuthorizeRequestValidationContext context); +} +``` + +* **`ValidateAsync`** + + This method gets called during authorize request processing. The context gives you access to request and response + parameters. + + To fail the request, set the `IsError`, the `Error`, and optionally the `ErrorDescription` properties on the + `Result` object on the `CustomAuthorizeRequestValidationContext`. diff --git a/astro/src/content/docs/identityserver/reference/v7/validators/custom-token-request-validator.md b/astro/src/content/docs/identityserver/reference/v7/validators/custom-token-request-validator.md new file mode 100644 index 000000000..2913d1f83 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v7/validators/custom-token-request-validator.md @@ -0,0 +1,43 @@ +--- +title: "Custom Token Request Validator" +description: Documentation for the ICustomTokenRequestValidator interface which allows inserting custom validation logic into token requests with the ability to modify request parameters and response fields. +sidebar: + label: Custom Token Request + order: 20 +redirect_from: + - /identityserver/v7/reference/validators/custom_token_request_validator/ +--- + +#### Duende.IdentityServer.Validation.ICustomTokenRequestValidator + +Allows running custom code as part of the token issuance pipeline at the token endpoint. + +```csharp +/// +/// Allows inserting custom validation logic into token requests +/// +public interface ICustomTokenRequestValidator +{ + /// + /// Custom validation logic for a token request. + /// + /// The context. + /// + /// The validation result + /// + Task ValidateAsync(CustomTokenRequestValidationContext context); +} +``` + +* **`ValidateAsync`** + + This method gets called during token request processing. The context gives you access to request and response + parameters. + + You can also change certain parameters on the validated request object, e.g. the token lifetime, token type, + confirmation method and client claims. + + The `CustomResponse` dictionary allows emitting additional response fields. + + To fail the request, set the `IsError`, the `Error`, and optionally the `ErrorDescription` properties on the + `Result` object on the `CustomTokenRequestValidationContext`. diff --git a/astro/src/content/docs/identityserver/reference/validators/dpop-proof-validator.md b/astro/src/content/docs/identityserver/reference/v7/validators/dpop-proof-validator.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/validators/dpop-proof-validator.md rename to astro/src/content/docs/identityserver/reference/v7/validators/dpop-proof-validator.md index 4ca9a0e35..b94556f66 100644 --- a/astro/src/content/docs/identityserver/reference/validators/dpop-proof-validator.md +++ b/astro/src/content/docs/identityserver/reference/v7/validators/dpop-proof-validator.md @@ -5,8 +5,6 @@ sidebar: label: DPoP Proof order: 40 redirect_from: - - /identityserver/v5/reference/validators/dpop_proof_validator/ - - /identityserver/v6/reference/validators/dpop_proof_validator/ - /identityserver/v7/reference/validators/dpop_proof_validator/ --- diff --git a/astro/src/content/docs/identityserver/reference/validators/extension-grant-validator.md b/astro/src/content/docs/identityserver/reference/v7/validators/extension-grant-validator.md similarity index 86% rename from astro/src/content/docs/identityserver/reference/validators/extension-grant-validator.md rename to astro/src/content/docs/identityserver/reference/v7/validators/extension-grant-validator.md index a628c2e42..26d2fd4fa 100644 --- a/astro/src/content/docs/identityserver/reference/validators/extension-grant-validator.md +++ b/astro/src/content/docs/identityserver/reference/v7/validators/extension-grant-validator.md @@ -5,8 +5,6 @@ sidebar: label: Extension Grant order: 80 redirect_from: - - /identityserver/v5/reference/validators/extension_grant_validator/ - - /identityserver/v6/reference/validators/extension_grant_validator/ - /identityserver/v7/reference/validators/extension_grant_validator/ --- @@ -41,7 +39,7 @@ public interface IExtensionGrantValidator This method gets called at runtime, when a request comes in that is using the registered extension grant. The job of this method is to validate the request and to populate `ExtensionGrantValidationContext.Result` with - a [grant validation result](/identityserver/reference/models/grant-validation-result.md) + a [grant validation result](/identityserver/reference/v7/models/grant-validation-result.md) The instance of the extension grant validator gets registered with: diff --git a/astro/src/content/docs/identityserver/reference/v8/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/_meta.yml new file mode 100644 index 000000000..992143a42 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/_meta.yml @@ -0,0 +1,3 @@ +label: "v8.0" +order: 1 +badge: "latest" diff --git a/astro/src/content/docs/identityserver/reference/v8/dcr/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/dcr/_meta.yml new file mode 100644 index 000000000..11015893f --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/_meta.yml @@ -0,0 +1,2 @@ +label: "Dynamic Client Registration" +collapsed: true \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/dcr/models.md b/astro/src/content/docs/identityserver/reference/v8/dcr/models.md similarity index 64% rename from astro/src/content/docs/identityserver/reference/dcr/models.md rename to astro/src/content/docs/identityserver/reference/v8/dcr/models.md index bace960ab..961614945 100644 --- a/astro/src/content/docs/identityserver/reference/dcr/models.md +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/models.md @@ -6,7 +6,8 @@ sidebar: redirect_from: - /identityserver/v5/configuration/dcr/reference/models/ - /identityserver/v6/configuration/dcr/reference/models/ - - /identityserver/v7/configuration/dcr/reference/models/ + - /identityserver/configuration/dcr/reference/models/ + - /identityserver/reference/dcr/models/ --- ## DynamicClientRegistrationRequest @@ -21,47 +22,47 @@ public class DynamicClientRegistrationRequest #### Public Members -| name | description | -|-----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| AbsoluteRefreshTokenLifetime { get; set; } | The absolute lifetime of refresh tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | -| AccessTokenLifetime { get; set; } | The lifetime of access tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | -| AccessTokenType { get; set; } | The type of access tokens that this client will create. Either "Jwt" or "Reference". This property is an extension to the Dynamic Client Registration Protocol. | -| AllowedCorsOrigins { get; set; } | List of allowed CORS origins for JavaScript clients. This property is an extension to the Dynamic Client Registration Protocol. | -| AllowedIdentityTokenSigningAlgorithms { get; set; } | List of signing algorithms to use when signing identity tokens. If not set, will use the server default signing algorithm. This property is an extension to the Dynamic Client Registration Protocol. | -| AllowRememberConsent { get; set; } | Boolean value specifying whether a user's consent can be remembered in flows initiated by this client. This property is an extension to the Dynamic Client Registration Protocol. | -| AuthorizationCodeLifetime { get; set; } | The lifetime of authorization codes, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | -| BackChannelLogoutSessionRequired { get; set; } | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. | -| BackChannelLogoutUri { get; set; } | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. | -| ClientName { get; set; } | Human-readable string name of the client to be presented to the end-user during authorization. | -| ClientUri { get; set; } | Web page providing information about the client. | -| ConsentLifetime { get; set; } | The lifetime of consent, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | -| CoordinateLifetimeWithUserSession { get; set; } | When enabled, the client's token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime. This means when the user logs out, any revokable tokens will be removed. If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be triggered. This client's setting overrides the global CoordinateClientLifetimesWithUserSession configuration setting. This property is an extension to the Dynamic Client Registration Protocol. | -| DefaultMaxAge { get; set; } | Default maximum authentication age. This is stored as the UserSsoLifetime property of the IdentityServer client model. | -| EnableLocalLogin { get; set; } | Boolean value specifying if local logins are enabled when this client uses interactive flows. This property is an extension to the Dynamic Client Registration Protocol. | -| Extensions { get; set; } | Custom client metadata fields to include in the serialization. | -| FrontChannelLogoutSessionRequired { get; set; } | Boolean value specifying whether the RP requires that a sid (session ID) query parameter be included to identify the RP session with the OP when the frontchannel_logout_uri is used. | -| FrontChannelLogoutUri { get; set; } | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. | -| GrantTypes { get; set; } | List of OAuth 2.0 grant type strings that the client can use at the token endpoint. Valid values are "authorization_code", "client_credentials", "refresh_token". | -| IdentityProviderRestrictions { get; set; } | List of external IdPs that can be used with this client. If list is empty all IdPs are allowed. Defaults to empty. This property is an extension to the Dynamic Client Registration Protocol. | -| IdentityTokenLifetime { get; set; } | The lifetime of identity tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | -| InitiateLoginUri { get; set; } | URI using the https scheme that a third party can use to initiate a login by the relying party. | -| Jwks { get; set; } | JWK Set document which contains the client's public keys. The `JwksUri` and `Jwks` parameters MUST NOT both be present in the same request or response. | -| JwksUri { get; set; } | URL to a JWK Set document which contains the client's public keys. The `JwksUri` and `Jwks` parameters MUST NOT both be present in the same request or response. The default validator must be extended to make use of the `JwksUri`. The default implementation ignores this property. | -| LogoUri { get; set; } | Logo for the client. If present, the server should display this image to the end-user during approval. | -| PostLogoutRedirectUris { get; set; } | List of post-logout redirection URIs for use in the end session endpoint. | -| RedirectUris { get; set; } | List of redirection URI strings for use in redirect-based flows such as the authorization code flow. Clients using flows with redirection must register their redirection URI values. | -| RefreshTokenExpiration { get; set; } | The type of expiration for refresh tokens. Either "sliding" or "absolute". This property is an extension to the Dynamic Client Registration Protocol. | -| RefreshTokenUsage { get; set; } | The usage type for refresh tokens. Either "OneTimeOnly" or "ReUse". This property is an extension to the Dynamic Client Registration Protocol. | -| RequireClientSecret { get; set; } | Boolean value specifying if a client secret is needed to request tokens at the token endpoint. This property is an extension to the Dynamic Client Registration Protocol. | -| RequireConsent { get; set; } | Boolean value specifying whether consent is required in user-centric flows initiated by this client. This property is an extension to the Dynamic Client Registration Protocol. | -| RequireSignedRequestObject { get; set; } | Boolean value specifying whether authorization requests must be protected as signed request objects and provided through either the request or request_uri parameters. | -| Scope { get; set; } | String containing a space-separated list of scope values that the client can use when requesting access tokens. If omitted, the configuration API will register a client with the scopes set by the `DynamicClientRegistrationValidator.SetDefaultScopes` method, which defaults to no scopes. | -| SlidingRefreshTokenLifetime { get; set; } | The sliding lifetime of refresh tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | -| SoftwareId { get; set; } | A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Unlike "client_id", which is issued by the authorization server and SHOULD vary between instances, the "software_id" SHOULD remain the same for all instances of the client software. The "software_id" SHOULD remain the same across multiple updates or versions of the same piece of software. The value of this field is not intended to be human-readable and is usually opaque to the client and authorization server. The default validator must be extended to make use of the `SoftwareId`. The default implementation ignores this property. | -| SoftwareStatement { get; set; } | A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. The default validator must be extended to make use of the software statement. The default implementation ignores this property. | -| SoftwareVersion { get; set; } | A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id". The value of this field is intended to be compared using string equality matching and no other comparison semantics are defined by this specification. The default validator must be extended to make use of the `SoftwareVersion`. The default implementation ignores this property. | -| TokenEndpointAuthenticationMethod { get; set; } | Requested Client Authentication method for the Token Endpoint. The supported options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt. | -| UpdateAccessTokenClaimsOnRefresh { get; set; } | Boolean value specifying whether access token claims are updated during token refresh. This property is an extension to the Dynamic Client Registration Protocol. | +| name | description | +|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `AbsoluteRefreshTokenLifetime { get; set; }` | The absolute lifetime of refresh tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `AccessTokenLifetime { get; set; }` | The lifetime of access tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `AccessTokenType { get; set; }` | The type of access tokens that this client will create. Either "Jwt" or "Reference". This property is an extension to the Dynamic Client Registration Protocol. | +| `AllowedCorsOrigins { get; set; }` | List of allowed CORS origins for JavaScript clients. This property is an extension to the Dynamic Client Registration Protocol. | +| `AllowedIdentityTokenSigningAlgorithms { get; set; }` | List of signing algorithms to use when signing identity tokens. If not set, will use the server default signing algorithm. This property is an extension to the Dynamic Client Registration Protocol. | +| `AllowRememberConsent { get; set; }` | Boolean value specifying whether a user's consent can be remembered in flows initiated by this client. This property is an extension to the Dynamic Client Registration Protocol. | +| `AuthorizationCodeLifetime { get; set; }` | The lifetime of authorization codes, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `BackChannelLogoutSessionRequired { get; set; }` | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. | +| `BackChannelLogoutUri { get; set; }` | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. | +| `ClientName { get; set; }` | Human-readable string name of the client to be presented to the end-user during authorization. | +| `ClientUri { get; set; }` | Web page providing information about the client. | +| `ConsentLifetime { get; set; }` | The lifetime of consent, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `CoordinateLifetimeWithUserSession { get; set; }` | When enabled, the client's token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime. This means when the user logs out, any revokable tokens will be removed. If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be triggered. This client's setting overrides the global CoordinateClientLifetimesWithUserSession configuration setting. This property is an extension to the Dynamic Client Registration Protocol. | +| `DefaultMaxAge { get; set; }` | Default maximum authentication age. This is stored as the UserSsoLifetime property of the IdentityServer client model. | +| `EnableLocalLogin { get; set; }` | Boolean value specifying if local logins are enabled when this client uses interactive flows. This property is an extension to the Dynamic Client Registration Protocol. | +| `Extensions { get; set; }` | Custom client metadata fields to include in the serialization. | +| `FrontChannelLogoutSessionRequired { get; set; }` | Boolean value specifying whether the RP requires that a sid (session ID) query parameter be included to identify the RP session with the OP when the frontchannel_logout_uri is used. | +| `FrontChannelLogoutUri { get; set; }` | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. | +| `GrantTypes { get; set; }` | List of OAuth 2.0 grant type strings that the client can use at the token endpoint. Valid values are "authorization_code", "client_credentials", "refresh_token". | +| `IdentityProviderRestrictions { get; set; }` | List of external IdPs that can be used with this client. If list is empty all IdPs are allowed. Defaults to empty. This property is an extension to the Dynamic Client Registration Protocol. | +| `IdentityTokenLifetime { get; set; }` | The lifetime of identity tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `InitiateLoginUri { get; set; }` | URI using the https scheme that a third party can use to initiate a login by the relying party. | +| `Jwks { get; set; }` | JWK Set document which contains the client's public keys. The `JwksUri` and `Jwks` parameters MUST NOT both be present in the same request or response. | +| `JwksUri { get; set; }` | URL to a JWK Set document which contains the client's public keys. The `JwksUri` and `Jwks` parameters MUST NOT both be present in the same request or response. The default validator must be extended to make use of the `JwksUri`. The default implementation ignores this property. | +| `LogoUri { get; set; }` | Logo for the client. If present, the server should display this image to the end-user during approval. | +| `PostLogoutRedirectUris { get; set; }` | List of post-logout redirection URIs for use in the end session endpoint. | +| `RedirectUris { get; set; }` | List of redirection URI strings for use in redirect-based flows such as the authorization code flow. Clients using flows with redirection must register their redirection URI values. | +| `RefreshTokenExpiration { get; set; }` | The type of expiration for refresh tokens. Either "sliding" or "absolute". This property is an extension to the Dynamic Client Registration Protocol. | +| `RefreshTokenUsage { get; set; }` | The usage type for refresh tokens. Either "OneTimeOnly" or "ReUse". This property is an extension to the Dynamic Client Registration Protocol. | +| `RequireClientSecret { get; set; }` | Boolean value specifying if a client secret is needed to request tokens at the token endpoint. This property is an extension to the Dynamic Client Registration Protocol. | +| `RequireConsent { get; set; }` | Boolean value specifying whether consent is required in user-centric flows initiated by this client. This property is an extension to the Dynamic Client Registration Protocol. | +| `RequireSignedRequestObject { get; set; }` | Boolean value specifying whether authorization requests must be protected as signed request objects and provided through either the request or request_uri parameters. | +| `Scope { get; set; }` | String containing a space-separated list of scope values that the client can use when requesting access tokens. If omitted, the configuration API will register a client with the scopes set by the `DynamicClientRegistrationValidator.SetDefaultScopes` method, which defaults to no scopes. | +| `SlidingRefreshTokenLifetime { get; set; }` | The sliding lifetime of refresh tokens, in seconds. This property is an extension to the Dynamic Client Registration Protocol. | +| `SoftwareId { get; set; }` | A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Unlike "client_id", which is issued by the authorization server and SHOULD vary between instances, the "software_id" SHOULD remain the same for all instances of the client software. The "software_id" SHOULD remain the same across multiple updates or versions of the same piece of software. The value of this field is not intended to be human-readable and is usually opaque to the client and authorization server. The default validator must be extended to make use of the `SoftwareId`. The default implementation ignores this property. | +| `SoftwareStatement { get; set; }` | A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. The default validator must be extended to make use of the software statement. The default implementation ignores this property. | +| `SoftwareVersion { get; set; }` | A version identifier string for the client software identified by "software_id". The value of the "software_version" SHOULD change on any update to the client software identified by the same "software_id". The value of this field is intended to be compared using string equality matching and no other comparison semantics are defined by this specification. The default validator must be extended to make use of the `SoftwareVersion`. The default implementation ignores this property. | +| `TokenEndpointAuthenticationMethod { get; set; }` | Requested Client Authentication method for the Token Endpoint. The supported options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt. | +| `UpdateAccessTokenClaimsOnRefresh { get; set; }` | Boolean value specifying whether access token claims are updated during token refresh. This property is an extension to the Dynamic Client Registration Protocol. | ## DynamicClientRegistrationResponse @@ -74,12 +75,12 @@ public class DynamicClientRegistrationResponse : DynamicClientRegistrationReques #### Public Members -| name | description | -|-------------------------------------|----------------------------------------------------------------------------------------------------| -| ClientId { get; set; } | Gets or sets the client ID. | -| ClientSecret { get; set; } | Gets or sets the client secret. | -| ClientSecretExpiresAt { get; set; } | Gets or sets the expiration time of the client secret. | -| ResponseTypes { get; set; } | List of the OAuth 2.0 response type strings that the client can use at the authorization endpoint. | +| name | description | +|---------------------------------------|----------------------------------------------------------------------------------------------------| +| `ClientId { get; set; }` | Gets or sets the client ID. | +| `ClientSecret { get; set; }` | Gets or sets the client secret. | +| `ClientSecretExpiresAt { get; set; }` | Gets or sets the expiration time of the client secret. | +| `ResponseTypes { get; set; }` | List of the OAuth 2.0 response type strings that the client can use at the authorization endpoint. | ## DynamicClientRegistrationContext @@ -94,12 +95,12 @@ public class DynamicClientRegistrationContext #### Public Members -| name | description | -|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| -| Caller { get; set; } | The ClaimsPrincipal that made the DCR request. | -| Client { get; set; } | The client model that is built up through validation and processing. | -| Items { get; set; } | A collection where additional contextual information may be stored. This is intended as a place to pass additional custom state between validation steps. | -| Request { get; set; } | The original dynamic client registration request. | +| name | description | +|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `Caller { get; set; }` | The ClaimsPrincipal that made the DCR request. | +| `Client { get; set; }` | The client model that is built up through validation and processing. | +| `Items { get; set; }` | A collection where additional contextual information may be stored. This is intended as a place to pass additional custom state between validation steps. | +| `Request { get; set; }` | The original dynamic client registration request. | ## DynamicClientRegistrationError @@ -113,10 +114,10 @@ public class DynamicClientRegistrationValidationError : IStepResult, IDynamicCli #### Public Members -| name | description | -|--------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Error { get; set; } | Gets or sets the error code for the error that occurred during validation. Error codes defined by RFC 7591 are defined as constants in the `DynamicClientRegistrationErrors` class. | -| ErrorDescription { get; set; } | Gets or sets a human-readable description of the error that occurred during validation. | +| name | description | +|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `Error { get; set; }` | Gets or sets the error code for the error that occurred during validation. Error codes defined by RFC 7591 are defined as constants in the `DynamicClientRegistrationErrors` class. | +| `ErrorDescription { get; set; }` | Gets or sets a human-readable description of the error that occurred during validation. | ## Marker Interfaces diff --git a/astro/src/content/docs/identityserver/reference/dcr/options.md b/astro/src/content/docs/identityserver/reference/v8/dcr/options.md similarity index 57% rename from astro/src/content/docs/identityserver/reference/dcr/options.md rename to astro/src/content/docs/identityserver/reference/v8/dcr/options.md index ed5fc2d03..aa11233d4 100644 --- a/astro/src/content/docs/identityserver/reference/dcr/options.md +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/options.md @@ -6,7 +6,8 @@ sidebar: redirect_from: - /identityserver/v5/configuration/dcr/reference/options/ - /identityserver/v6/configuration/dcr/reference/options/ - - /identityserver/v7/configuration/dcr/reference/options/ + - /identityserver/configuration/dcr/reference/options/ + - /identityserver/reference/dcr/options/ --- The page describes the `IdentityServerConfigurationOptions` class, which provides top-level configuration options for @@ -15,7 +16,7 @@ secret lifetimes. ## IdentityServerConfigurationOptions -Top-level options for IdentityServer.Configuration. +Top-level options for IdentityServer configuration. ```csharp public class IdentityServerConfigurationOptions @@ -23,9 +24,9 @@ public class IdentityServerConfigurationOptions ### Public Members -| name | description | -|------------------------------------------------------------------------------|-----------------------------------------| -| [DynamicClientRegistration](#dynamicclientregistrationoptions) { get; set; } | Options for Dynamic Client Registration | +| name | description | +|--------------------------------------------------------------------------------|-----------------------------------------| +| [`DynamicClientRegistration { get; set; }`](#dynamicclientregistrationoptions) | Options for Dynamic Client Registration | ## DynamicClientRegistrationOptions @@ -37,6 +38,6 @@ public class DynamicClientRegistrationOptions ### Public Members -| name | description | -|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| -| SecretLifetime { get; set; } | Gets or sets the lifetime of secrets generated for clients. If unset, generated secrets will have no expiration. Defaults to null (secrets never expire). | +| name | description | +|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `SecretLifetime { get; set; }` | Gets or sets the lifetime of secrets generated for clients. If unset, generated secrets will have no expiration. Defaults to null (secrets never expire). | diff --git a/astro/src/content/docs/identityserver/reference/dcr/processing.md b/astro/src/content/docs/identityserver/reference/v8/dcr/processing.md similarity index 65% rename from astro/src/content/docs/identityserver/reference/dcr/processing.md rename to astro/src/content/docs/identityserver/reference/v8/dcr/processing.md index 408682b89..e1a05e4e2 100644 --- a/astro/src/content/docs/identityserver/reference/dcr/processing.md +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/processing.md @@ -6,7 +6,8 @@ sidebar: redirect_from: - /identityserver/v5/configuration/dcr/reference/processing/ - /identityserver/v6/configuration/dcr/reference/processing/ - - /identityserver/v7/configuration/dcr/reference/processing/ + - /identityserver/configuration/dcr/reference/processing/ + - /identityserver/reference/dcr/processing/ --- The page explains the `IDynamicClientRegistrationRequestProcessor` contract, its default implementation ( @@ -24,13 +25,13 @@ on the `Client` model that are generated by the Configuration API itself. In contrast, the `IDynamicClientRegistrationRequestProcessor` is responsible for checking the validity of the metadata supplied in the registration request, and using that metadata to set properties of a `Client` model. The request processor -is also responsible for passing the finished `Client` to the [store](/identityserver/reference/dcr/store.md) +is also responsible for passing the finished `Client` to the [store](/identityserver/reference/v8/dcr/store.md) ### Members -| name | description | -|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ProcessAsync(…) | Processes a valid dynamic client registration request, setting properties of the client that are not specified in the request, and storing the new client in the IClientConfigurationStore. | +| name | description | +|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ProcessAsync(…)` | Processes a valid dynamic client registration request, setting properties of the client that are not specified in the request, and storing the new client in the IClientConfigurationStore. | ## DynamicClientRegistrationRequestProcessor @@ -46,16 +47,16 @@ public class DynamicClientRegistrationRequestProcessor : IDynamicClientRegistrat ## Request Processing Steps Each of these virtual methods represents one step of request processing. -Each step is passed a [DynamicClientRegistrationContext](/identityserver/reference/dcr/models.md#dynamicclientregistrationcontext) and returns a task -that returns an [`IStepResult`](/identityserver/reference/dcr/models.md#istepresult). The `DynamicClientRegistrationContext` includes the client model +Each step is passed a [DynamicClientRegistrationContext](/identityserver/reference/v8/dcr/models.md#dynamicclientregistrationcontext) and returns a task +that returns an [`IStepResult`](/identityserver/reference/v8/dcr/models.md#istepresult). The `DynamicClientRegistrationContext` includes the client model that will have its properties set, the DCR request, and other contextual information. The `IStepResult` either represents that the step succeeded or failed. -| name | description | -|-------------------------|---------------------------------------------------------------------------| -| virtual AddClientId | Generates a client ID and adds it to the validatedRequest's client model. | -| virtual AddClientSecret | Adds a client secret to a dynamic client registration request. | +| name | description | +|---------------------------|---------------------------------------------------------------------------| +| `virtual AddClientId` | Generates a client ID and adds it to the validatedRequest's client model. | +| `virtual AddClientSecret` | Adds a client secret to a dynamic client registration request. | ## Secret Generation @@ -64,6 +65,6 @@ plaintext of that secret to the context's `Items` dictionary for later use. If y you can override the GenerateSecret method, which only needs to return a tuple containing the secret and its plaintext. -| name | description | -|------------------------|---------------------------------------------------------------| -| virtual GenerateSecret | Generates a secret for a dynamic client registration request. | \ No newline at end of file +| name | description | +|--------------------------|---------------------------------------------------------------| +| `virtual GenerateSecret` | Generates a secret for a dynamic client registration request. | \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v8/dcr/response.md b/astro/src/content/docs/identityserver/reference/v8/dcr/response.md new file mode 100644 index 000000000..caf4c49eb --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/response.md @@ -0,0 +1,41 @@ +--- +title: "Response Generation" +description: "Reference documentation for dynamic client registration response generation, including interfaces and implementations for handling HTTP responses in the registration process." +sidebar: + order: 40 +redirect_from: + - /identityserver/v5/configuration/dcr/reference/response/ + - /identityserver/v6/configuration/dcr/reference/response/ + - /identityserver/configuration/dcr/reference/response/ + - /identityserver/reference/dcr/response/ +--- + +## IDynamicClientRegistrationResponseGenerator +The `IDynamicClientRegistrationResponseGenerator` interface defines the contract +for a service that generates dynamic client registration responses. + +```csharp +public interface IDynamicClientRegistrationResponseGenerator +``` + +### Members + +| name | description | +|----------------------------|--------------------------------------------------------------------------| +| `WriteBadRequestError(…)` | Writes a bad request error to the HTTP context. | +| `WriteContentTypeError(…)` | Writes a content type error to the HTTP response. | +| `WriteProcessingError(…)` | Writes a processing error to the HTTP context. | +| `WriteResponse(…)` | Writes a response object to the HTTP context with the given status code. | +| `WriteSuccessResponse(…)` | Writes a success response to the HTTP context. | +| `WriteValidationError(…)` | Writes a validation error to the HTTP context. | + + +## DynamicClientRegistrationResponseGenerator + +The `DynamicClientRegistrationResponseGenerator` is the default implementation of the `IDynamicClientRegistrationResponseGenerator`. If you wish to customize a particular aspect of response generation, you can extend this class and override the appropriate methods. You can also set JSON serialization options by overriding its `SerializerOptions` property. + +### Members + +| name | description | +|-----------------------------------|-----------------------------------------------------| +| `SerializerOptions { get; set; }` | The options used for serializing json in responses. | diff --git a/astro/src/content/docs/identityserver/reference/dcr/store.md b/astro/src/content/docs/identityserver/reference/v8/dcr/store.md similarity index 76% rename from astro/src/content/docs/identityserver/reference/dcr/store.md rename to astro/src/content/docs/identityserver/reference/v8/dcr/store.md index 75bb39723..af4b9bcf2 100644 --- a/astro/src/content/docs/identityserver/reference/dcr/store.md +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/store.md @@ -6,7 +6,8 @@ sidebar: redirect_from: - /identityserver/v5/configuration/dcr/reference/store/ - /identityserver/v6/configuration/dcr/reference/store/ - - /identityserver/v7/configuration/dcr/reference/store/ + - /identityserver/configuration/dcr/reference/store/ + - /identityserver/reference/dcr/store/ --- ## IClientConfigurationStore @@ -21,9 +22,9 @@ public interface IClientConfigurationStore ### Members -| name | description | -|-------------|-------------------------------------------| -| AddAsync(…) | Adds a client to the configuration store. | +| name | description | +|---------------|-------------------------------------------| +| `AddAsync(…)` | Adds a client to the configuration store. | ## ClientConfigurationStore diff --git a/astro/src/content/docs/identityserver/reference/dcr/validation.md b/astro/src/content/docs/identityserver/reference/v8/dcr/validation.md similarity index 50% rename from astro/src/content/docs/identityserver/reference/dcr/validation.md rename to astro/src/content/docs/identityserver/reference/v8/dcr/validation.md index cd5ab2fe4..ff71b6377 100644 --- a/astro/src/content/docs/identityserver/reference/dcr/validation.md +++ b/astro/src/content/docs/identityserver/reference/v8/dcr/validation.md @@ -6,10 +6,10 @@ sidebar: redirect_from: - /identityserver/v5/configuration/dcr/reference/validation/ - /identityserver/v6/configuration/dcr/reference/validation/ - - /identityserver/v7/configuration/dcr/reference/validation/ - /identityserver/v5/configuration/dcr/reference/ - /identityserver/v6/configuration/dcr/reference/ - - /identityserver/v7/configuration/dcr/reference/ + - /identityserver/configuration/dcr/reference/ + - /identityserver/reference/dcr/validation/ --- ## IDynamicClientRegistrationValidator @@ -36,12 +36,12 @@ public Task ValidateAsync( | parameter | description | |-----------|-----------------------------------------------| -| context | Contextual information about the DCR request. | +| `context` | Contextual information about the DCR request. | ### Return Value A task that returns an [ -`IDynamicClientRegistrationValidationResult`](/identityserver/reference/dcr/models.md#idynamicclientregistrationvalidationresult), indicating success or +`IDynamicClientRegistrationValidationResult`](/identityserver/reference/v8/dcr/models.md#idynamicclientregistrationvalidationresult), indicating success or failure. ## DynamicClientRegistrationValidator @@ -58,28 +58,28 @@ class and override the appropriate methods. ## Validation Steps Each of these methods represents one step in the validation process. -Each step is passed a [`DynamicClientRegistrationContext`](/identityserver/reference/dcr/models.md#dynamicclientregistrationcontext) and returns a task -that returns an [`IStepResult`](/identityserver/reference/dcr/models.md#istepresult). The `DynamicClientRegistrationContext` includes the client model +Each step is passed a [`DynamicClientRegistrationContext`](/identityserver/reference/v8/dcr/models.md#dynamicclientregistrationcontext) and returns a task +that returns an [`IStepResult`](/identityserver/reference/v8/dcr/models.md#istepresult). The `DynamicClientRegistrationContext` includes the client model that will have its properties set, the DCR request, and other contextual information. The `IStepResult` either represents that the step succeeded or failed. The steps are invoked in the same order as they appear in this table. -| name | description | -|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ValidateSoftwareStatementAsync(…) | Validates the software statement of the request. The default implementation does nothing, and is included as an extension point. | -| SetGrantTypesAsync(…) | Validates requested grant types and uses them to set the allowed grant types of the client. | -| SetRedirectUrisAsync(…) | Validates requested redirect uris and uses them to set the redirect uris of the client. | -| SetScopesAsync(…) | Validates requested scopes and uses them to set the scopes of the client. | -| SetDefaultScopes(…) | Sets scopes on the client when no scopes are requested. The default implementation sets no scopes and is intended as an extension point. | -| SetSecretsAsync(…) | Validates the requested jwks to set the secrets of the client. | -| SetClientNameAsync(…) | Validates the requested client name uses it to set the name of the client. | -| SetLogoutParametersAsync(…) | Validates the requested client parameters related to logout and uses them to set the corresponding properties in the client. Those parameters include the post logout redirect uris, front channel and back channel uris, and flags for the front and back channel uris indicating if they require session ids. | -| SetMaxAgeAsync(…) | Validates the requested default max age and uses it to set the user sso lifetime of the client. | -| SetUserInterfaceProperties(…) | Validates details of the request that control the user interface, including the logo uri, client uri, initiate login uri, enable local login flag, and identity provider restrictions, and uses them to set the corresponding client properties. | -| SetPublicClientProperties(…) | Validates the requested client parameters related to public clients and uses them to set the corresponding properties in the client. Those parameters include the require client secret flag and the allowed cors origins. | -| SetAccessTokenProperties(…) | Validates the requested client parameters related to access tokens and uses them to set the corresponding properties in the client. Those parameters include the allowed access token type and access token lifetime. | -| SetIdTokenProperties(…) | Validates the requested client parameters related to id tokens and uses them to set the corresponding properties in the client. Those parameters include the id token lifetime and the allowed id token signing algorithms. | -| SetServerSideSessionProperties(…) | Validates the requested client parameters related to server side sessions and uses them to set the corresponding properties in the client. Those parameters include the coordinate lifetime with user session flag. | +| name | description | +|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ValidateSoftwareStatementAsync(…)` | Validates the software statement of the request. The default implementation does nothing, and is included as an extension point. | +| `SetGrantTypesAsync(…)` | Validates requested grant types and uses them to set the allowed grant types of the client. | +| `SetRedirectUrisAsync(…)` | Validates requested redirect uris and uses them to set the redirect uris of the client. | +| `SetScopesAsync(…)` | Validates requested scopes and uses them to set the scopes of the client. | +| `SetDefaultScopes(…)` | Sets scopes on the client when no scopes are requested. The default implementation sets no scopes and is intended as an extension point. | +| `SetSecretsAsync(…)` | Validates the requested jwks to set the secrets of the client. | +| `SetClientNameAsync(…)` | Validates the requested client name uses it to set the name of the client. | +| `SetLogoutParametersAsync(…)` | Validates the requested client parameters related to logout and uses them to set the corresponding properties in the client. Those parameters include the post logout redirect uris, front channel and back channel uris, and flags for the front and back channel uris indicating if they require session ids. | +| `SetMaxAgeAsync(…)` | Validates the requested default max age and uses it to set the user sso lifetime of the client. | +| `SetUserInterfaceProperties(…)` | Validates details of the request that control the user interface, including the logo uri, client uri, initiate login uri, enable local login flag, and identity provider restrictions, and uses them to set the corresponding client properties. | +| `SetPublicClientProperties(…)` | Validates the requested client parameters related to public clients and uses them to set the corresponding properties in the client. Those parameters include the require client secret flag and the allowed cors origins. | +| `SetAccessTokenProperties(…)` | Validates the requested client parameters related to access tokens and uses them to set the corresponding properties in the client. Those parameters include the allowed access token type and access token lifetime. | +| `SetIdTokenProperties(…)` | Validates the requested client parameters related to id tokens and uses them to set the corresponding properties in the client. Those parameters include the id token lifetime and the allowed id token signing algorithms. | +| `SetServerSideSessionProperties(…)` | Validates the requested client parameters related to server side sessions and uses them to set the corresponding properties in the client. Those parameters include the coordinate lifetime with user session flag. | diff --git a/astro/src/content/docs/identityserver/reference/di.md b/astro/src/content/docs/identityserver/reference/v8/di.md similarity index 93% rename from astro/src/content/docs/identityserver/reference/di.md rename to astro/src/content/docs/identityserver/reference/v8/di.md index d3161d5ce..2d7862cae 100644 --- a/astro/src/content/docs/identityserver/reference/di.md +++ b/astro/src/content/docs/identityserver/reference/v8/di.md @@ -8,7 +8,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/di/ - /identityserver/v6/reference/di/ - - /identityserver/v7/reference/di/ + - /identityserver/reference/di/ --- `AddIdentityServer` return a builder object that provides many extension methods to add IdentityServer specific services @@ -21,7 +21,7 @@ var idsvrBuilder = builder.Services.AddIdentityServer(); :::note Many of the fundamental configuration settings can be set on the options. See the -`[IdentityServerOptions](/identityserver/reference/options)` reference for more details. +`[IdentityServerOptions](/identityserver/reference/v8/options)` reference for more details. ::: ## Configuration Stores @@ -70,10 +70,9 @@ with the following extension methods. Extension methods to enable [caching for configuration data](/identityserver/data/configuration.md#caching-configuration-data): -- **`AddInMemoryCaching`** +- **`AddInMemoryCaching`** - To use any of the caches described below, an implementation of `ICache` must be registered in the ASP.NET Core service provider. - This API registers a default in-memory implementation of `ICache` that's based on ASP.NET Core's `MemoryCache`. + Registers a keyed [`HybridCache`](https://learn.microsoft.com/en-us/aspnet/core/performance/caching/hybrid) instance under `ServiceProviderKeys.ConfigurationStoreCache`. This is required when using any of the caching store decorators below. By default, only the L1 (in-memory) cache tier is used. To enable L2 (distributed) caching, register an `IDistributedCache` implementation — `HybridCache` will automatically use it as the L2 tier. - **`AddClientStoreCache`** Registers a `IClientStore` decorator implementation which will maintain an in-memory cache of `Client` configuration diff --git a/astro/src/content/docs/identityserver/reference/v8/efoptions/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/efoptions/_meta.yml new file mode 100644 index 000000000..b3dd81806 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/efoptions/_meta.yml @@ -0,0 +1,2 @@ +label: "EF Options" +collapsed: true \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/efoptions/configuration.md b/astro/src/content/docs/identityserver/reference/v8/efoptions/configuration.md similarity index 97% rename from astro/src/content/docs/identityserver/reference/efoptions/configuration.md rename to astro/src/content/docs/identityserver/reference/v8/efoptions/configuration.md index 9e8bec5c3..221a1e1da 100644 --- a/astro/src/content/docs/identityserver/reference/efoptions/configuration.md +++ b/astro/src/content/docs/identityserver/reference/v8/efoptions/configuration.md @@ -6,7 +6,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/efoptions/configuration/ - /identityserver/v6/reference/efoptions/configuration/ - - /identityserver/v7/reference/efoptions/configuration/ + - /identityserver/reference/efoptions/configuration/ --- ## Duende.IdentityServer.EntityFramework.Options.ConfigurationStoreOptions diff --git a/astro/src/content/docs/identityserver/reference/efoptions/index.md b/astro/src/content/docs/identityserver/reference/v8/efoptions/index.md similarity index 91% rename from astro/src/content/docs/identityserver/reference/efoptions/index.md rename to astro/src/content/docs/identityserver/reference/v8/efoptions/index.md index 6669a6f68..7f7b9e675 100644 --- a/astro/src/content/docs/identityserver/reference/efoptions/index.md +++ b/astro/src/content/docs/identityserver/reference/v8/efoptions/index.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/efoptions/ - /identityserver/v6/reference/efoptions/ - - /identityserver/v7/reference/efoptions/ + - /identityserver/reference/efoptions/ --- If using the [Entity Framework Core store implementation](/identityserver/data/ef.md), you might need to configure those specific options. diff --git a/astro/src/content/docs/identityserver/reference/efoptions/operational.md b/astro/src/content/docs/identityserver/reference/v8/efoptions/operational.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/efoptions/operational.md rename to astro/src/content/docs/identityserver/reference/v8/efoptions/operational.md index ba8399048..b6c497605 100644 --- a/astro/src/content/docs/identityserver/reference/efoptions/operational.md +++ b/astro/src/content/docs/identityserver/reference/v8/efoptions/operational.md @@ -6,7 +6,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/efoptions/operational/ - /identityserver/v6/reference/efoptions/operational/ - - /identityserver/v7/reference/efoptions/operational/ + - /identityserver/reference/efoptions/operational/ --- ## Duende.IdentityServer.EntityFramework.Options.OperationalStoreOptions diff --git a/astro/src/content/docs/identityserver/reference/v8/endpoints/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/endpoints/_meta.yml new file mode 100644 index 000000000..0c4b693ed --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/_meta.yml @@ -0,0 +1,2 @@ +label: "Endpoints" +collapsed: true \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/endpoints/authorize.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/authorize.md similarity index 97% rename from astro/src/content/docs/identityserver/reference/endpoints/authorize.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/authorize.md index 04bf1e6b2..06f9cccdc 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/authorize.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/authorize.md @@ -8,10 +8,10 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/authorize/ - /identityserver/v6/reference/endpoints/authorize/ - - /identityserver/v7/reference/endpoints/authorize/ - /identityserver/v5/reference/endpoints/ - /identityserver/v6/reference/endpoints/ - - /identityserver/v7/reference/endpoints/ + - /identityserver/reference/endpoints/ + - /identityserver/reference/endpoints/authorize/ --- The authorize endpoint can be used to request tokens or authorization codes via the browser. diff --git a/astro/src/content/docs/identityserver/reference/endpoints/ciba.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/ciba.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/endpoints/ciba.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/ciba.md index 3b3e8e938..687aab3ca 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/ciba.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/ciba.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/ciba/ - /identityserver/v6/reference/endpoints/ciba/ - - /identityserver/v7/reference/endpoints/ciba/ + - /identityserver/reference/endpoints/ciba/ --- The backchannel authentication endpoint is used by a client to initiate a [CIBA](/identityserver/ui/ciba.md) request. diff --git a/astro/src/content/docs/identityserver/reference/endpoints/device-authorization.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/device-authorization.md similarity index 92% rename from astro/src/content/docs/identityserver/reference/endpoints/device-authorization.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/device-authorization.md index 8867140d1..d0a8609b7 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/device-authorization.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/device-authorization.md @@ -8,7 +8,8 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/device_authorization/ - /identityserver/v6/reference/endpoints/device_authorization/ - - /identityserver/v7/reference/endpoints/device_authorization/ + - /identityserver/reference/endpoints/device_authorization/ + - /identityserver/reference/endpoints/device-authorization/ --- The device authorization endpoint can be used to request device and user codes. diff --git a/astro/src/content/docs/identityserver/reference/endpoints/discovery.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/discovery.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/endpoints/discovery.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/discovery.md index 8a23612c1..ac86c265d 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/discovery.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/discovery.md @@ -8,7 +8,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/discovery/ - /identityserver/v6/reference/endpoints/discovery/ - - /identityserver/v7/reference/endpoints/discovery/ + - /identityserver/reference/endpoints/discovery/ --- The [discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) can be used to retrieve metadata diff --git a/astro/src/content/docs/identityserver/reference/endpoints/end-session.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/end-session.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/endpoints/end-session.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/end-session.md index 2c4a82753..337c36b34 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/end-session.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/end-session.md @@ -8,7 +8,8 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/end_session/ - /identityserver/v6/reference/endpoints/end_session/ - - /identityserver/v7/reference/endpoints/end_session/ + - /identityserver/reference/endpoints/end_session/ + - /identityserver/reference/endpoints/end-session/ --- The end session endpoint can be used to trigger single sign-out in the browser ( diff --git a/astro/src/content/docs/identityserver/reference/endpoints/introspection.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/introspection.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/endpoints/introspection.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/introspection.md index fa28a1310..0642d128b 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/introspection.md @@ -8,7 +8,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/introspection/ - /identityserver/v6/reference/endpoints/introspection/ - - /identityserver/v7/reference/endpoints/introspection/ + - /identityserver/reference/endpoints/introspection/ --- The introspection endpoint is an implementation of [RFC 7662](https://tools.ietf.org/html/rfc7662). diff --git a/astro/src/content/docs/identityserver/reference/v8/endpoints/oauth-metadata.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/oauth-metadata.md new file mode 100644 index 000000000..86c49af7e --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/oauth-metadata.md @@ -0,0 +1,27 @@ +--- +title: "OAuth Metadata Endpoint" +description: "Learn about the OAuth metadata endpoint that provides information about your IdentityServer configuration, including issuer name, key material, and supported scopes." +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: OAuth Metadata + order: 2 +redirect_from: + - /identityserver/reference/oauth-metadata/introspection/ +--- + +The [OAuth Metadata Endpoint](https://www.rfc-editor.org/rfc/rfc8414.html) is a standardized way to retrieve metadata +about your IdentityServer. + +The discovery endpoint is available via `/.well-known/oauth-authorization-server` relative to the base address, e.g.: + +```text +https://demo.duendesoftware.com/.well-known/oauth-authorization-server +``` + +## Issuer Name and Path Base + +When hosting IdentityServer in an application that uses [ASP.NET Core's `PathBaseMiddleware`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.extensions.usepathbasemiddleware), the base path will be +included in the issuer name and discovery document URLs. + +Refer the [Discovery Endpoint](/identityserver/reference/v8/endpoints/discovery.md#issuer-name-and-path-base) +for more information. diff --git a/astro/src/content/docs/identityserver/reference/endpoints/revocation.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/revocation.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/endpoints/revocation.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/revocation.md index 48a71f4af..917d8cdef 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/revocation.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/revocation.md @@ -8,7 +8,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/revocation/ - /identityserver/v6/reference/endpoints/revocation/ - - /identityserver/v7/reference/endpoints/revocation/ + - /identityserver/reference/endpoints/revocation/ --- This endpoint allows revoking access tokens (reference tokens only) and refresh token. diff --git a/astro/src/content/docs/identityserver/reference/endpoints/token.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/token.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/endpoints/token.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/token.md index ca75a7953..09e595259 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/token.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/token.md @@ -8,7 +8,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/token/ - /identityserver/v6/reference/endpoints/token/ - - /identityserver/v7/reference/endpoints/token/ + - /identityserver/reference/endpoints/token/ --- The token endpoint can be used to programmatically request tokens. diff --git a/astro/src/content/docs/identityserver/reference/endpoints/userinfo.md b/astro/src/content/docs/identityserver/reference/v8/endpoints/userinfo.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/endpoints/userinfo.md rename to astro/src/content/docs/identityserver/reference/v8/endpoints/userinfo.md index 8ed59a718..28721922d 100644 --- a/astro/src/content/docs/identityserver/reference/endpoints/userinfo.md +++ b/astro/src/content/docs/identityserver/reference/v8/endpoints/userinfo.md @@ -8,7 +8,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/endpoints/userinfo/ - /identityserver/v6/reference/endpoints/userinfo/ - - /identityserver/v7/reference/endpoints/userinfo/ + - /identityserver/reference/endpoints/userinfo/ --- The UserInfo endpoint can be used to retrieve claims about a user ( diff --git a/astro/src/content/docs/identityserver/reference/v8/models/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/models/_meta.yml new file mode 100644 index 000000000..5c4f5f27c --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/models/_meta.yml @@ -0,0 +1,2 @@ +label: "Models" +collapsed: true \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/models/api-resource.md b/astro/src/content/docs/identityserver/reference/v8/models/api-resource.md similarity index 93% rename from astro/src/content/docs/identityserver/reference/models/api-resource.md rename to astro/src/content/docs/identityserver/reference/v8/models/api-resource.md index 20167d1f1..837659c50 100644 --- a/astro/src/content/docs/identityserver/reference/models/api-resource.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/api-resource.md @@ -7,10 +7,11 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/api_resource/ - /identityserver/v6/reference/models/api_resource/ - - /identityserver/v7/reference/models/api_resource/ + - /identityserver/reference/models/api_resource/ - /identityserver/v5/reference/models/ - /identityserver/v6/reference/models/ - - /identityserver/v7/reference/models/ + - /identityserver/reference/models/ + - /identityserver/reference/models/api-resource/ --- ## Duende.IdentityServer.Models.ApiResource @@ -54,7 +55,7 @@ This class models an API. * **`Scopes`** - List of API scope names. You need to create those using [ApiScope](/identityserver/reference/models/api-scope.md). + List of API scope names. You need to create those using [ApiScope](/identityserver/reference/v8/models/api-scope.md). ## Defining API resources In appsettings.json diff --git a/astro/src/content/docs/identityserver/reference/models/api-scope.md b/astro/src/content/docs/identityserver/reference/v8/models/api-scope.md similarity index 94% rename from astro/src/content/docs/identityserver/reference/models/api-scope.md rename to astro/src/content/docs/identityserver/reference/v8/models/api-scope.md index 6d5723a71..01f88c19e 100644 --- a/astro/src/content/docs/identityserver/reference/models/api-scope.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/api-scope.md @@ -7,7 +7,8 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/api_scope/ - /identityserver/v6/reference/models/api_scope/ - - /identityserver/v7/reference/models/api_scope/ + - /identityserver/reference/models/api_scope/ + - /identityserver/reference/models/api-scope/ --- ## Duende.IdentityServer.Models.ApiScope diff --git a/astro/src/content/docs/identityserver/reference/models/ciba-login-request.md b/astro/src/content/docs/identityserver/reference/v8/models/ciba-login-request.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/models/ciba-login-request.md rename to astro/src/content/docs/identityserver/reference/v8/models/ciba-login-request.md index b9f0b819d..8a159ba9c 100644 --- a/astro/src/content/docs/identityserver/reference/models/ciba-login-request.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/ciba-login-request.md @@ -6,7 +6,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/ciba_login_request/ - /identityserver/v6/reference/models/ciba_login_request/ - - /identityserver/v7/reference/models/ciba_login_request/ + - /identityserver/reference/models/ciba-login-request/ --- ## Duende.IdentityServer.Models.BackchannelUserLoginRequest diff --git a/astro/src/content/docs/identityserver/reference/models/client.md b/astro/src/content/docs/identityserver/reference/v8/models/client.md similarity index 99% rename from astro/src/content/docs/identityserver/reference/models/client.md rename to astro/src/content/docs/identityserver/reference/v8/models/client.md index 5174ef0de..165275f05 100644 --- a/astro/src/content/docs/identityserver/reference/models/client.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/client.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/client/ - /identityserver/v6/reference/models/client/ - - /identityserver/v7/reference/models/client/ + - /identityserver/reference/models/client/ --- ## Duende.IdentityServer.Models.Client diff --git a/astro/src/content/docs/identityserver/reference/models/grant-validation-result.md b/astro/src/content/docs/identityserver/reference/v8/models/grant-validation-result.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/models/grant-validation-result.md rename to astro/src/content/docs/identityserver/reference/v8/models/grant-validation-result.md index 4ef486d11..2cb7928f6 100644 --- a/astro/src/content/docs/identityserver/reference/models/grant-validation-result.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/grant-validation-result.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/grant_validation_result/ - /identityserver/v6/reference/models/grant_validation_result/ - - /identityserver/v7/reference/models/grant_validation_result/ + - /identityserver/reference/models/grant-validation-result/ --- ## Duende.IdentityServer.Validation.GrantValidationResult diff --git a/astro/src/content/docs/identityserver/reference/models/identity-resource.md b/astro/src/content/docs/identityserver/reference/v8/models/identity-resource.md similarity index 97% rename from astro/src/content/docs/identityserver/reference/models/identity-resource.md rename to astro/src/content/docs/identityserver/reference/v8/models/identity-resource.md index 101a306f7..01a9edf7e 100644 --- a/astro/src/content/docs/identityserver/reference/models/identity-resource.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/identity-resource.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/identity_resource/ - /identityserver/v6/reference/models/identity_resource/ - - /identityserver/v7/reference/models/identity_resource/ + - /identityserver/reference/models/identity-resource/ --- ## Duende.IdentityServer.Models.IdentityResource diff --git a/astro/src/content/docs/identityserver/reference/models/idp.md b/astro/src/content/docs/identityserver/reference/v8/models/idp.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/models/idp.md rename to astro/src/content/docs/identityserver/reference/v8/models/idp.md index e87640467..42cdc2f1b 100644 --- a/astro/src/content/docs/identityserver/reference/models/idp.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/idp.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/idp/ - /identityserver/v6/reference/models/idp/ - - /identityserver/v7/reference/models/idp/ + - /identityserver/reference/models/idp/ --- ## Duende.IdentityServer.Models.OidcProvider diff --git a/astro/src/content/docs/identityserver/reference/models/license-usage-summary.md b/astro/src/content/docs/identityserver/reference/v8/models/license-usage-summary.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/models/license-usage-summary.md rename to astro/src/content/docs/identityserver/reference/v8/models/license-usage-summary.md index 4cb14b02d..c7d4ffc0a 100644 --- a/astro/src/content/docs/identityserver/reference/models/license-usage-summary.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/license-usage-summary.md @@ -10,7 +10,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/license_usage_summary/ - /identityserver/v6/reference/models/license_usage_summary/ - - /identityserver/v7/reference/models/license_usage_summary/ + - /identityserver/reference/models/license-usage-summary/ --- ## Duende.IdentityServer.Licensing.LicenseUsageSummary diff --git a/astro/src/content/docs/identityserver/reference/models/secrets.md b/astro/src/content/docs/identityserver/reference/v8/models/secrets.md similarity index 98% rename from astro/src/content/docs/identityserver/reference/models/secrets.md rename to astro/src/content/docs/identityserver/reference/v8/models/secrets.md index 9823da49a..3198d0b2c 100644 --- a/astro/src/content/docs/identityserver/reference/models/secrets.md +++ b/astro/src/content/docs/identityserver/reference/v8/models/secrets.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/models/secrets/ - /identityserver/v6/reference/models/secrets/ - - /identityserver/v7/reference/models/secrets/ + - /identityserver/reference/models/secrets/ --- ## Duende.IdentityServer.Validation.ISecretParser diff --git a/astro/src/content/docs/identityserver/reference/v8/options.md b/astro/src/content/docs/identityserver/reference/v8/options.md new file mode 100644 index 000000000..128a66b89 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/options.md @@ -0,0 +1,799 @@ +--- +title: "IdentityServer Options" +description: Documentation of all configuration options in Duende IdentityServer, including settings for key management, endpoints, authentication, events, logging, CORS, Content Security Policy, device flow, mutual TLS, dynamic providers, CIBA, server-side sessions, validation and other core features. +sidebar: + label: Options + order: 10 +redirect_from: + - /identityserver/v5/reference/options/ + - /identityserver/v5/reference/ + - /identityserver/v6/reference/options/ + - /identityserver/v6/reference/ + - /identityserver/reference/options/ + - /identityserver/reference/ +--- + +#### Duende.IdentityServer.Configuration.IdentityServerOptions + +The `IdentityServerOptions` is the central place to configure fundamental settings in Duende IdentityServer. + +You set the options when registering IdentityServer at startup time, using a lambda expression in the AddIdentityServer method: + +```csharp +// Program.cs +var idsvrBuilder = builder.Services.AddIdentityServer(options => +{ + // configure options here.. +}) +``` + +## Main + +Top-level settings. Available directly on the `IdentityServerOptions` object. + +- **`IssuerUri`** + + The name of the token server, used in the discovery document as the `issuer` claim and in JWT tokens and introspection responses as the `iss` claim. + + It is not recommended to set this option. If it is not set (the default), the issuer is inferred from the URL used by clients. This better conforms to the OpenID Connect specification, which requires that issuer values be "identical to the Issuer URL that was directly used to retrieve the configuration information". It is also more convenient for clients to validate the issuer of tokens, because they will not need additional configuration or customization to know the expected issuer. + + If you need to access IdentityServer on a different address from the expected issuer value, for example internally in a Kubernetes cluster, setting the issuer is a good practice. Note that when doing so, you will need to set the OpenID Connect metadata address manually in your client application to prevent the address derived from the authority from being used. + +- **`LowerCaseIssuerUri`** + + Controls the casing of inferred `IssuerUri`s. When set to `false`, the original casing of the IssuerUri in requests is preserved. When set to `true`, the `IssuerUri` is converted to lowercase. Defaults to `true`. + +- **`AccessTokenJwtType`** + + The value used for the `typ` header in JWT access tokens. Defaults to `at+jwt`, as specified by the [RFC 9068](https://datatracker.ietf.org/doc/html/rfc9068). If `AccessTokenJwtType` is set to `null` or the empty string, the `typ` header will not be emitted in JWT access tokens. + +- **`LogoutTokenJwtType`** + + The value for the `typ` header in back-channel logout tokens. Defaults to "logout+jwt", as specified by [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html#logouttoken). + +- **`EmitScopesAsSpaceDelimitedStringInJwt`** + + Controls the format of scope claims in JWTs and introspection responses. Historically scopes values were emitted as an array in JWT access tokens. [RFC 9068](https://datatracker.ietf.org/doc/html/rfc9068) now specifies a space delimited string instead. Defaults to `false` for backwards compatibility. + +- **`EmitStaticAudienceClaim`** + + Emits a static `aud` (audience) claim in all access tokens with the format `{issuer}/resources`. For example, if IdentityServer was running at `https://identity.example.com`, the static `aud` claim's value would be `https://identity.example.com/resources`. Historically, older versions of IdentityServer produced tokens with a static audience claim in this format. This flag is intended for use when you need to produce backwards-compatible access tokens. Also note that multiple audience claims are possible. If you enable this flag and also configure `ApiResource`s you can have both the static audience and audiences from the API resources. Defaults to `false`. + +- **`EmitIssuerIdentificationResponseParameter`** + + Emits the `iss` response parameter on authorize responses, as specified by [RFC 9207](https://datatracker.ietf.org/doc/rfc9207/). Defaults to `true`. + +- **`EmitStateHash`** + + Emits the s_hash claim in identity tokens. The s_hash claim is a hash of the state parameter that is specified in the OpenID Connect [Financial-grade API Security Profile](https://openid.net/specs/openid-financial-api-part-2-1_0.html). Defaults to `false`. + +- **`StrictJarValidation`** + + Strictly validate JWT-secured authorization requests according to [RFC 9101](https://datatracker.ietf.org/doc/rfc9101/). When enabled, JWTs used to secure authorization requests must have the `typ` header value `oauth-authz-req+jwt` and JWT-secured authorization requests must have the HTTP `content-type` header value `application/oauth-authz-req+jwt`. This might break older OIDC conformant request objects. Defaults to `false`. + +- **`ValidateTenantOnAuthorization`** + Specifies if a user's `tenant` claim is compared to the tenant `acr_values` parameter value to determine if the login page is displayed. Defaults to `false`. + +## Key management + +Automatic key management settings. Available on the `KeyManagement` property of the `IdentityServerOptions` object. + +- **`Enabled`** + + Enables automatic key management. Defaults to true. + +- **`SigningAlgorithms`** + + The signing algorithms for which automatic key management will manage keys. + + This option is configured with a list of objects containing a Name property, which is the name of a supported signing algorithm, and a UseX509Certificate property, which is a flag indicating if the signing key should be wrapped in an X.509 certificate. + + The first algorithm in the collection will be used as the default for clients that do not specify `AllowedIdentityTokenSigningAlgorithms`. + + The supported signing algorithm names are `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, and `ES512`. + + X.509 certificates are not supported for `ES256`, `ES384`, and `ES512` keys. + + Defaults to `RS256` without an X.509 certificate. + +:::note +_X.509 certificates_ have an expiration date, but IdentityServer does +not use this data to validate the certificate and throw an exception. If a certificate has expired then you +must decide whether to continue using it or replace it with a new certificate. +::: + +- **`RsaKeySize`** + Key size (in bits) of RSA keys. The signing algorithms that use RSA keys (`RS256`, `RS384`, `RS512`, `PS256`, `PS384`, and `PS512`) will generate an RSA key of this length. Defaults to 2048. +- **`RotationInterval`** + + Age at which keys will no longer be used for signing, but will still be used in discovery for validation. + Defaults to 90 days. + +- **`PropagationTime`** + + Time expected to propagate new keys to all servers, and time expected all clients to refresh discovery. + Defaults to 14 days. + +- **`RetentionDuration`** + + Duration for keys to remain in discovery after rotation. + Defaults to 14 days. + +- **`DeleteRetiredKeys`** + + Automatically delete retired keys. + Defaults to true. + +- **`KeyPath`** + + Path for storing keys when using the default file system store. + Defaults to the "keys" directory relative to the hosting application. + +- **`DataProtectKeys`** + + Automatically protect keys in the storage using data protection. + Defaults to true. + +- **`KeyCacheDuration`** + + When in normal operation, duration to cache keys from store. + Defaults to 24 hours. + +- **`InitializationDuration`** + + When no keys have been created yet, this is the window of time considered to be an initialization + period to allow all servers to synchronize if the keys are being created for the first time. + Defaults to 5 minutes. + +- **`InitializationSynchronizationDelay`** + + Delay used when re-loading from the store when the initialization period. It allows + other servers more time to write new keys so other servers can include them. + Defaults to 5 seconds. + +- **`InitializationKeyCacheDuration`** + + Cache duration when within the initialization period. + Defaults to 1 minute. + +## Endpoints + +Endpoint settings, including flags to disable individual endpoints and support for the request_uri JAR parameter. Available on the `Endpoints` property of the `IdentityServerOptions` object. + +- **`EnableAuthorizeEndpoint`** + + Enables the authorize endpoint. Defaults to true. + +- **`EnableTokenEndpoint`** + + Enables the token endpoint. Defaults to true. + +- **`EnableDiscoveryEndpoint`** + + Enables the discovery endpoint. Defaults to true. + +- **`EnableUserInfoEndpoint`** + + Enables the user info endpoint. Defaults to true. + +- **`EnableEndSessionEndpoint`** + + Enables the end session endpoint. Defaults to true. + +- **`EnableCheckSessionEndpoint`** + + Enables the check session endpoint. Defaults to true. + +- **`EnableTokenRevocationEndpoint`** + + Enables the token revocation endpoint. Defaults to true. + +- **`EnableIntrospectionEndpoint`** + + Enables the introspection endpoint. Defaults to true. + +- **`EnableDeviceAuthorizationEndpoint`** + + Enables the device authorization endpoint. Defaults to true. + +- **`EnableBackchannelAuthenticationEndpoint`** + + Enables the backchannel authentication endpoint. Defaults to true. + +- **`EnablePushedAuthorizationEndpoint`** + + Enables the pushed authorization endpoint. Defaults to true. + +- **`EnableJwtRequestUri`** + Enables the `request_uri` parameter for JWT-Secured Authorization Requests. This allows the JWT to be passed by reference. Disabled by default, due to the security implications of enabling the request_uri parameter (see [RFC 9101 section 10.4](https://datatracker.ietf.org/doc/rfc9101/)). + +## Discovery + +Discovery settings, including flags to toggle sections of the discovery document and settings to add custom entries to it. Available on the `Discovery` property of the `IdentityServerOptions` object. + +If you want to take full control over the rendering of the discovery and jwks documents, you can implement the `IDiscoveryResponseGenerator` interface (or derive from our default implementation). + +- **`ShowEndpoints`** + + Shows endpoints (authorization_endpoint, token_endpoint, etc.) in the discovery document. Defaults to true. + +- **`ShowKeySet`** + + Shows the jwks_uri in the discovery document and enables the jwks endpoint. Defaults to true. + +- **`ShowIdentityScopes`** + + Includes IdentityResources in the supported_scopes of the discovery document. Defaults to true. + +- **`ShowApiScopes`** + + Includes ApiScopes in the supported_scopes of the discovery document. Defaults to true. + +- **`ShowClaims`** + + Shows claims_supported in the discovery document. Defaults to true. + +- **`ShowResponseTypes`** + + Shows response_types_supported in the discovery document. Defaults to true. + +- **`ShowResponseModes`** + + Shows response_modes_supported in the discovery document. Defaults to true. + +- **`ShowGrantTypes`** + + Shows grant_types_supported in the discovery document. Defaults to true. + +- **`ShowExtensionGrantTypes`** + + Includes extension grant types in the grant_types_supported of the discovery document. Defaults to true. + +- **`ShowTokenEndpointAuthenticationMethods`** + + Shows token_endpoint_auth_methods_supported in the discovery document. Defaults to true. + +- **`CustomEntries`** + Adds custom elements to the discovery document. For example: + +```csharp +// Program.cs +var idsvrBuilder = builder.Services.AddIdentityServer(options => +{ + options.Discovery.CustomEntries.Add("my_setting", "foo"); + options.Discovery.CustomEntries.Add("my_complex_setting", + new + { + foo = "foo", + bar = "bar" + }); +}); +``` + +- **`ExpandRelativePathsInCustomEntries`** + Expands paths in custom entries that begin with "~/" into absolute paths below the IdentityServer base address. Defaults to true. In the following example, if IdentityServer's base address is `https://localhost:5001`, then `my_custom_endpoint`'s value will be expanded to `https://localhost:5001/custom`. + +```csharp +options.Discovery.CustomEntries.Add("my_custom_endpoint", "~/custom"); +``` + +## Authentication + +Login/logout related settings. Available on the `Authentication` property of the `IdentityServerOptions` + +- **`CookieAuthenticationScheme`** + Sets the cookie authentication scheme configured by the host used for interactive users. If not set, the scheme will be inferred from the host's default authentication scheme. This setting is typically used when AddPolicyScheme is used in the host as the default scheme. + +- **`CookieLifetime`** + + The authentication cookie lifetime (only effective if the IdentityServer-provided cookie handler is used). Defaults to 10 hours. + +- **`CookieSlidingExpiration`** + + Specifies if the cookie should be sliding or not (only effective if the IdentityServer-provided cookie handler is used). Defaults to false. + +- **`CookieSameSiteMode`** + + Specifies the SameSite mode for the internal cookies. Defaults to None. + +- **`RequireAuthenticatedUserForSignOutMessage`** + + Indicates if user must be authenticated to accept parameters to end session endpoint. Defaults to false. + +- **`CheckSessionCookieName`** + + The name of the cookie used for the check session endpoint. Defaults to the constant `IdentityServerConstants.DefaultCheckSessionCookieName`, which has the value "idsrv.session". + +- **`CheckSessionCookieDomain`** + + The domain of the cookie used for the check session endpoint. Defaults to `null`. + +- **`CheckSessionCookieSameSiteMode`** + + The SameSite mode of the cookie used for the check session endpoint. Defaults to None. + +- **`RequireCspFrameSrcForSignout`** + + Enables all content security policy headers on the end session endpoint. For historical reasons, this option's name mentions `frame-src`, but the content security policy headers on the end session endpoint also include other fetch directives, including a _default-src 'none'_ directive, which prevents most resources from being loaded by the end session endpoint, and a `style-src` directive that specifies the hash of the expected style on the page. + +- **`CoordinateClientLifetimesWithUserSession`** (added in `v6.1`) + When enabled, all clients' token lifetimes (e.g. refresh tokens) will be tied to the user's session lifetime. + This means when the user logs out, any revokable tokens will be removed. + If using server-side sessions, expired sessions will also remove any revokable tokens, and backchannel logout will be triggered. + An individual client can override this setting with its own `CoordinateLifetimeWithUserSession` configuration setting. + +## Events + +Configures which [events](/identityserver/diagnostics/events.md) should be raised at the registered event sink. + +- **`RaiseSuccessEvents`** + + Enables success events. Defaults to false. Success events include all the events whose names are postfixed with "SuccessEvent". In general, they are raised when properly formed and valid requests are processed without errors. + +- **`RaiseFailureEvents`** + + Enables failure events. Defaults to false. Failure events include all the events whose names are postfixed with "FailureEvent". In general, they are raised when an action has failed because of incorrect or badly formed parameters in a request. They indicate that the user or client calling IdentityServer has done something wrong and are analogous to a 400: bad request error. + +- **`RaiseErrorEvents`** + + Enables Error events. Defaults to false. Error events are raised when an error has occurred, either because of invalid configuration or an unhandled exception. They indicate that there is something wrong within the token server or its configuration and are analogous to a 500: internal server error. + +- **`RaiseInformationEvents`** + + Enables Information events. Defaults to false. Information events are emitted when an action has occurred that is of informational interest, but that is neither a success nor a failure. For example, when the end user grants, denies, or revokes consent, that is considered an information event, because these events capture a valid choice of the user rather than success or failure. + +## Logging + +Logging related settings, including filters that will remove sensitive values and unwanted exceptions from logs. Available on the `Logging` property of the `IdentityServerOptions` object. + +- **`AuthorizeRequestSensitiveValuesFilter`** + + Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`. The default value was changed in version 7.2.2 to include `client_secret` and `client_assertion`. + +- **`PushedAuthorizationSensitiveValuesFilter`** + + Collection of parameter names passed to the Pushed Authorization Request (PAR) endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the PAR endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values that are pushed, and usually should be set to the same value as `AuthorizeRequestSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`. + +- **`TokenRequestSensitiveValuesFilter`** + + Collection of parameter names passed to the token endpoint that are considered sensitive and will be redacted in logs. In `v7.0` and earlier, defaults to `client_secret`, `password`, `client_assertion`, `refresh_token`, and `device_code`. In `v7.1`, `subject_token` is also excluded. + +- **`BackchannelAuthenticationRequestSensitiveValuesFilter`** + + Collection of parameter names passed to the backchannel authentication endpoint that are considered sensitive and will be redacted in logs. Defaults to `client_secret`, `client_assertion`, and `id_token_hint`. + +- **`UnhandledExceptionLoggingFilter`** (added in `v6.2`) + + A function that is called when the IdentityServer middleware detects an unhandled exception, and is used to determine if the exception is logged. + The arguments to the function are the HttpContext and the Exception. It should return true to log the exception, and false to suppress. + The default is to suppress logging of cancellation-related exceptions when the `CancellationToken` on the `HttpContext` has requested cancellation. Such exceptions are thrown when Http requests are canceled, which is an expected occurrence. Logging them creates unnecessary noise in the logs. In `v7.0` and earlier, only `TaskCanceledException`s were filtered. Beginning in `v7.1`, `OperationCanceledException`s are filtered as well. + +## InputLengthRestrictions + +Settings that control the allowed length of various protocol parameters, such as client id, scope, redirect URI etc. Available on the `InputLengthRestrictions` property of the `IdentityServerOptions` object. + +- **`ClientId`** + + Max length for ClientId. Defaults to 100. + +- **`ClientSecret`** + + Max length for external client secrets. Defaults to 100. + +- **`Scope`** + + Max length for scope. Defaults to 300. + +- **`RedirectUri`** + + Max length for redirect_uri. Defaults to 400. + +- **`Nonce`** + + Max length for nonce. Defaults to 300. + +- **`UiLocale`** + + Max length for ui_locale. Defaults to 100. + +- **`LoginHint`** + + Max length for login_hint. Defaults to 100. + +- **`AcrValues`** + + Max length for acr_values. Defaults to 300. + +- **`GrantType`** + + Max length for grant_type. Defaults to 100. + +- **`UserName`** + + Max length for username. Defaults to 100. + +- **`Password`** + + Max length for password. Defaults to 100. + +- **`CspReport`** + + Max length for CSP reports. Defaults to 2000. + +- **`IdentityProvider`** + + Max length for external identity provider name. Defaults to 100. + +- **`ExternalError`** + + Max length for external identity provider errors. Defaults to 100. + +- **`AuthorizationCode`** + + Max length for authorization codes. Defaults to 100. + +- **`DeviceCode`** + + Max length for device codes. Defaults to 100. + +- **`RefreshToken`** + + Max length for refresh tokens. Defaults to 100. + +- **`TokenHandle`** + + Max length for token handles. Defaults to 100. + +- **`Jwt`** + + Max length for JWTs. Defaults to 51200. + +- **`CodeChallengeMinLength`** + + Min length for the code challenge. Defaults to 43. + +- **`CodeChallengeMaxLength`** + + Max length for the code challenge. Defaults to 128. + +- **`CodeVerifierMinLength`** + + Min length for the code verifier. Defaults to 43. + +- **`CodeVerifierMaxLength`** + + Max length for the code verifier. Defaults to 128. + +- **`ResourceIndicatorMaxLength`** + + Max length for resource indicator parameter. Defaults to 512. + +- **`BindingMessage`** + + Max length for binding_message. Defaults to 100. + +- **`UserCode`** + + Max length for user_code. Defaults to 100. + +- **`IdTokenHint`** + + Max length for id_token_hint. Defaults to 4000. + +- **`LoginHintToken`** + + Max length for login_hint_token. Defaults to 4000. + +- **`AuthenticationRequestId`** + Max length for auth_req_id. Defaults to 100. + +## UserInteraction + +User interaction settings, including urls for pages in the UI, names of parameters to those pages, and other settings related to interactive flows. Available on the `UserInteraction` property of the `IdentityServerOptions` object. + +- **`LoginUrl`**, **`LogoutUrl`**, **`ConsentUrl`**, **`ErrorUrl`**, **`DeviceVerificationUrl`** + + Sets the URLs for the login, logout, consent, error and device verification pages. + +- **`CreateAccountUrl`** (added in `v6.3`) + + Sets the URL for the create account page, which is used by OIDC requests that include the `prompt=create` parameter. When this option is set, including the `prompt=create` parameter will cause the user to be redirected to the specified url. `create` will also be added to the discovery document's `prompt_values_supported` array to announce support for this feature. When this option is not set, the `prompt=create` parameter is ignored, and `create` is not added to discovery. Defaults to `null`. + +- **`LoginReturnUrlParameter`** + + Sets the name of the return URL parameter passed to the login page. Defaults to `returnUrl`. + +- **`LogoutIdParameter`** + + Sets the name of the logout message id parameter passed to the logout page. Defaults to `logoutId`. + +- **`ConsentReturnUrlParameter`** + + Sets the name of the return URL parameter passed to the consent page. Defaults to `returnUrl`. + +- **`ErrorIdParameter`** + + Sets the name of the error message id parameter passed to the error page. Defaults to `errorId`. + +- **`CustomRedirectReturnUrlParameter`** + + Sets the name of the return URL parameter passed to a custom redirect from the authorization endpoint. Defaults to `returnUrl`. + +- **`DeviceVerificationUserCodeParameter`** + + Sets the name of the user code parameter passed to the device verification page. Defaults to `userCode`. + +- **`CookieMessageThreshold`** + + Certain interactions between IdentityServer and some UI pages require a cookie to pass state and context (any of the pages above that have a configurable "message id" parameter). + Since browsers have limits on the number of cookies and their size, this setting is used to prevent too many cookies being created. + The value sets the maximum number of message cookies of any type that will be created. + The oldest message cookies will be purged once the limit has been reached. + This effectively indicates how many tabs can be opened by a user when using IdentityServer. Defaults to 2. + +- **`AllowOriginInReturnUrl`** + + Flag that allows return URL validation to accept full URL that includes the IdentityServer origin. Defaults to `false`. + +- **`PromptValuesSupported`** (added in `v7.0.7`) + + The collection of OIDC prompt modes supported and that will be published in discovery. By + default, this includes all values in `Constants.SupportedPromptModes`. If the + `CreateAccountUrl` option is set, then the "create" value is also included. If additional + prompt values are added, a customized [`IAuthorizeInteractionResponseGenerator"`](/identityserver/ui/custom.md) is also required to handle those values. + +## Caching + +Caching settings for the stores. Available on the `Caching` property of the `IdentityServerOptions` object. These settings only apply if the respective caching has been enabled in the services configuration in startup. + +- **`ClientStoreExpiration`** + + Cache duration of client configuration loaded from the client store. Defaults to 15 minutes. + +- **`ResourceStoreExpiration`** + + Cache duration of identity and API resource configuration loaded from the resource store. Defaults to 15 minutes. + +- **`CorsExpiration`** + + Cache duration of CORS configuration loaded from the CORS policy service. Defaults to 15 minutes. + +- **`IdentityProviderCacheDuration`** + + Cache duration of identity provider configuration loaded from the identity provider store. Defaults to 60 minutes. + +- **`CacheLockTimeout`** *(obsolete)* + + The timeout for concurrency locking in `KeyManager` for key-management operations. This property is no longer used by configuration-store caching (`HybridCache` provides built-in stampede protection). Defaults to 60 seconds. + +## CORS + +CORS settings for IdentityServer's endpoints. Available on the `Cors` property of the `IdentityServerOptions` object. The underlying CORS implementation is provided from ASP.NET Core, and as such it is automatically registered in the dependency injection system. + +- **`CorsPolicyName`** + + Name of the CORS policy that will be evaluated for CORS requests into IdentityServer. Defaults to `IdentityServer`. + The policy provider that handles this is implemented in terms of the `ICorsPolicyService` registered in the dependency injection system. + If you wish to customize the set of CORS origins allowed to connect, then it is recommended that you provide a custom implementation of `ICorsPolicyService`. + +- **`CorsPaths`** + + The endpoints within IdentityServer where CORS is supported. + Defaults to the discovery, user info, token, and revocation endpoints. + +- **`PreflightCacheDuration`** + + Indicates the value to be used in the preflight `Access-Control-Max-Age` response header. + Defaults to `null` indicating no caching header is set on the response. + +## Content Security Policy + +Settings for Content Security Policy (CSP) headers that IdentityServer emits. Available on the `Csp` property of the `IdentityServerOptions` object. + +- **`Level`** + + The level of CSP to use. CSP Level 2 is used by default, but this can be changed to `CspLevel.One` to accommodate older browsers. + +- **`AddDeprecatedHeader`** + Indicates if the older `X-Content-Security-Policy` CSP header should also be emitted in addition to the standards-based header value. Defaults to `true`. + +## Device Flow + +OAuth device flow settings. Available on the `DeviceFlow` property of the `IdentityServerOptions` object. + +- **`DefaultUserCodeType`** + + The user code type to use, unless set at the client level. Defaults to `Numeric`, a 9-digit code. + +- **`Interval`** + + The maximum frequency in seconds that a client may poll the token endpoint in the device flow. Defaults to `5`. + +## Mutual TLS + +[Mutual TLS](/identityserver/tokens/client-authentication.md) settings. Available on the `MutualTls` property of the `IdentityServerOptions` object. + +```csharp +// Program.cs +var builder = services.AddIdentityServer(options => +{ + options.MutualTls.Enabled = true; + + // use mtls subdomain + options.MutualTls.DomainName = "mtls"; + + options.MutualTls.AlwaysEmitConfirmationClaim = true; +}) +``` + +- **`Enabled`** + + Specifies if MTLS support should be enabled. Defaults to `false`. + +- **`ClientCertificateAuthenticationScheme`** + + Specifies the name of the authentication handler for X.509 client certificates. Defaults to `Certificate`. + +- **`DomainName`** + + Specifies either the name of the subdomain or full domain for running the MTLS endpoints. MTLS will use path-based endpoints if not set (the default). + Use a simple string (e.g. "mtls") to set a subdomain, use a full domain name (e.g. "identityserver-mtls.io") to set a full domain name. + When a full domain name is used, you also need to set the `IssuerName` to a fixed value. + +- **`AlwaysEmitConfirmationClaim`** + + Specifies whether a cnf claim gets emitted for access tokens if a client certificate was present. + Normally the cnf claims only gets emitted if the client used the client certificate for authentication, + setting this to true, will set the claim regardless of the authentication method. Defaults to false. + +## PersistentGrants + +Shared settings for persisted grants behavior. + +- **`DataProtectData`** + + Data protect the persisted grants "data" column. Defaults to `true`. + If your database is already protecting data at rest, then you can consider disabling this. + +- **`DeleteOneTimeOnlyRefreshTokensOnUse`** (added in `v6.3`) + + When Refresh tokens that are configured with RefreshTokenUsage.OneTime are used, this option controls if they will be deleted immediately or retained and marked as consumed. The default is on - immediately delete. + +## Dynamic Providers + +Settings for [dynamic providers](/identityserver/ui/login/dynamicproviders.md). Available on the `DynamicProviders` property of the `IdentityServerOptions` object. + +- **`PathPrefix`** + + Prefix in the pipeline for callbacks from external providers. Defaults to "/federation". + +- **`SignInScheme`** + + Scheme used for signin. Defaults to the constant `IdentityServerConstants.ExternalCookieAuthenticationScheme`, which has the value "idsrv.external". + +- **`SignOutScheme`** + Scheme for signout. Defaults to the constant `IdentityServerConstants.DefaultCookieAuthenticationScheme`, which has the value "idsrv". + +## CIBA + +[CIBA](/identityserver/ui/ciba.md) settings. Available on the `Ciba` property of the `IdentityServerOptions` object. + +- **`DefaultLifetime`** + + The default lifetime of the pending authentication requests in seconds. Defaults to 300. + +- **`DefaultPollingInterval`** + The maximum frequency in seconds that a client may poll the token endpoint in the CIBA flow. Defaults to 5. + +## Server-Side Sessions + +Settings for [server-side sessions](/identityserver/ui/server-side-sessions/index.md). Added in `v6.1`. Available on the `ServerSideSessions` property of the `IdentityServerOptions` object. + +- **`UserDisplayNameClaimType`** + + Claim type used for the user's display name. Unset by default due to possible PII concerns. If used, this would commonly be `JwtClaimTypes.Name`, `JwtClaimType.Email` or a custom claim. + +- **`RemoveExpiredSessions`** + + Enables periodic cleanup of expired sessions. Defaults to true. + +- **`RemoveExpiredSessionsFrequency`** + + Frequency that expired sessions will be removed. Defaults to 10 minutes. + +- **`RemoveExpiredSessionsBatchSize`** + + Number of expired session records to be removed at a time. Defaults to 100. + +- **`ExpiredSessionsTriggerBackchannelLogout`** + + If enabled, when server-side sessions are removed due to expiration, back-channel logout notifications will be sent. + This will, in effect, tie a user's session lifetime at a client to their session lifetime at IdentityServer. Defaults to true. + +- **`FuzzExpiredSessionRemovalStart`** + + The background session cleanup job runs at a configured interval. If multiple nodes run the cleanup + job at the same time update conflicts might occur in the store. To reduce the propability of that happening, the startup time can be fuzzed. The first run is scheduled at a random time between the host startup and the configured RemoveExpiredSessionsFrequency. Subsequent runs are run on the configured RemoveExpiredSessionsFrequency. + Defaults to `true`. + +## Validation + +- **`InvalidRedirectUriPrefixes`** + + Collection of URI scheme prefixes that should never be used as custom URI + schemes in the `redirect_uri` passed to tha authorize endpoint or the + `post_logout_redirect_uri` passed to the end_session endpoint. Defaults to + _["javascript:", "file:", "data:", "mailto:", "ftp:", "blob:", "about:", + "ssh:", "tel:", "view-source:", "ws:", "wss:"]_. + +## DPoP + +Added in 6.3.0. + +Demonstration of Proof-of-Possession settings. Available on the `DPoP` property of the `IdentityServerOptions` object. + +- **`ProofTokenValidityDuration`** + + Duration that DPoP proof tokens are considered valid. Defaults to _1 minute_. + +- **`ServerClockSkew`** + Clock skew used in validating DPoP proof token expiration using a server-generated nonce value. Defaults to `0`. + +## Pushed Authorization Requests + +[Pushed Authorization Requests (PAR)](/identityserver/tokens/par.md) settings. Added in `v7.0`. Available on the `PushedAuthorization` property of the `IdentityServerOptions` object. + +- **`Required`** + + Causes PAR to be required globally. Defaults to `false`. + +- **`Lifetime`** + + Controls the lifetime of pushed authorization requests. The pushed authorization request's lifetime begins when the request to the PAR endpoint is received, and is validated until the authorize endpoint returns a response to the client application. Note that user interaction, such as entering credentials or granting consent, may need to occur before the authorize endpoint can do so. Setting the lifetime too low will likely cause login failures for interactive users, if pushed authorization requests expire before those users complete authentication. Some security profiles, such as the FAPI 2.0 Security Profile recommend an expiration within 10 minutes to prevent attackers from pre-generating requests. To balance these constraints, this lifetime defaults to 10 minutes. + +## Diagnostics + +[Diagnostic data](/identityserver/diagnostics/data.mdx) settings. Added in `v7.3`. Available on the `Diagnostics` property of the `IdentityServerOptions` object. + +- **`LogFrequency`** + + Frequency at which the diagnostic data is logged. Defaults to 1 hour. + +- **`ChunkSize`** + + Maximum size of diagnostic data log message chunks in kilobytes. Defaults to 8160 bytes. 8 KB is a conservative limit for the max size of a log message that is imposed by some logging tools. + We take 32 bytes less than that to allow for additional formatting of the log message. + +## Preview Features + +Preview Features settings. Available on the `Preview` property of the `IdentityServerOptions` object. + +:::note +Duende IdentityServer may ship preview features, which can be configured using preview options. +Note that preview features can be removed and may break in future releases. +::: + +#### Discovery Document Cache + +In large deployments of Duende IdentityServer, where a lot of concurrent users attempt to +consume the [discovery endpoint](/identityserver/reference/v8/endpoints/discovery.md) to retrieve +metadata about your IdentityServer, you can increase throughput by enabling the +discovery document cache preview using the _`EnableDiscoveryDocumentCache`_ flag. +This will cache discovery document information for the duration specified in the +_`DiscoveryDocumentCacheDuration`_ option. + +It's best to keep the cache time low if you use the _`CustomEntries`_ element on the +discovery document or implement a custom _`IDiscoveryResponseGenerator`_. + +#### Strict Audience Validation + +When using [_private key JWT_](/identityserver/tokens/client-authentication.md#private-key-jwts), +there is a theoretical vulnerability where a Relying Party trusting multiple OpenID Providers +could be attacked if one of the OpenID Providers is malicious or compromised. + +The OpenID Foundation proposed a two-part fix: strictly validate the audience and set an +explicit `typ` header in the authentication JWT. + +You can [enable strict audience validation in Duende IdentityServer](/identityserver/tokens/client-authentication.md#strict-audience-validation) +using the _`StrictClientAssertionAudienceValidation`_ flag, which strictly validates that +the audience is equal to the issuer and validates the token's `typ` header. diff --git a/astro/src/content/docs/identityserver/reference/v8/response-handling/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/response-handling/_meta.yml new file mode 100644 index 000000000..2a88c189f --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/response-handling/_meta.yml @@ -0,0 +1,2 @@ +label: "Response Handling" +collapsed: true \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/response-handling/authorize-interaction-response-generator.md b/astro/src/content/docs/identityserver/reference/v8/response-handling/authorize-interaction-response-generator.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/response-handling/authorize-interaction-response-generator.md rename to astro/src/content/docs/identityserver/reference/v8/response-handling/authorize-interaction-response-generator.md index 5856c3527..a7b2d3fbe 100644 --- a/astro/src/content/docs/identityserver/reference/response-handling/authorize-interaction-response-generator.md +++ b/astro/src/content/docs/identityserver/reference/v8/response-handling/authorize-interaction-response-generator.md @@ -6,7 +6,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/response_handling/authorize_interaction_response_generator/ - /identityserver/v6/reference/response_handling/authorize_interaction_response_generator/ - - /identityserver/v7/reference/response_handling/authorize_interaction_response_generator/ + - /identityserver/reference/response-handling/authorize-interaction-response-generator/ --- #### Duende.IdentityServer.ResponseHandling.IAuthorizeInteractionResponseGenerator diff --git a/astro/src/content/docs/identityserver/reference/response-handling/http-response-writer.md b/astro/src/content/docs/identityserver/reference/v8/response-handling/http-response-writer.md similarity index 95% rename from astro/src/content/docs/identityserver/reference/response-handling/http-response-writer.md rename to astro/src/content/docs/identityserver/reference/v8/response-handling/http-response-writer.md index 8d9d20d57..2bcad2795 100644 --- a/astro/src/content/docs/identityserver/reference/response-handling/http-response-writer.md +++ b/astro/src/content/docs/identityserver/reference/v8/response-handling/http-response-writer.md @@ -6,7 +6,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/response_handling/http_response_writer/ - /identityserver/v6/reference/response_handling/http_response_writer/ - - /identityserver/v7/reference/response_handling/http_response_writer/ + - /identityserver/reference/response-handling/http-response-writer/ --- The `IHttpResponseWriter` interface is the contract for services that can produce HTTP responses for `IEndpointResult`s. diff --git a/astro/src/content/docs/identityserver/reference/response-handling/index.md b/astro/src/content/docs/identityserver/reference/v8/response-handling/index.md similarity index 96% rename from astro/src/content/docs/identityserver/reference/response-handling/index.md rename to astro/src/content/docs/identityserver/reference/v8/response-handling/index.md index 5d056b54c..26f46fe3d 100644 --- a/astro/src/content/docs/identityserver/reference/response-handling/index.md +++ b/astro/src/content/docs/identityserver/reference/v8/response-handling/index.md @@ -7,7 +7,7 @@ sidebar: redirect_from: - /identityserver/v5/reference/response_handling/ - /identityserver/v6/reference/response_handling/ - - /identityserver/v7/reference/response_handling/ + - /identityserver/reference/response-handling/ --- IdentityServer's endpoints follow a pattern of abstraction in which a response generator uses a validated input model to produce a response model. The response model is a type that represents the data that will be returned from the endpoint. The response model is then wrapped in a result model, which is a type that facilitates serialization by an implementation of `IHttpResponseWriter`. diff --git a/astro/src/content/docs/identityserver/reference/v8/response-handling/token_response_generator.md b/astro/src/content/docs/identityserver/reference/v8/response-handling/token_response_generator.md new file mode 100644 index 000000000..7670a2e96 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/response-handling/token_response_generator.md @@ -0,0 +1,108 @@ +--- +title: "Token Response Generator" +description: Documentation for the ITokenResponseGenerator interface and its implementation, which generates responses to valid token endpoint requests with customization options for different token flows. +sidebar: + order: 20 +redirect_from: + - /identityserver/v6/reference/response_handling/token_response_generator/ + - /identityserver/reference/response-handling/token_response_generator/ +--- + +## Duende.IdentityServer.ResponseHandling.ITokenResponseGenerator + +The `ITokenResponseGenerator` interface is the contract for the service that generates responses to valid requests to +the token endpoint. A response in this context refers to an object model that describes the content that will be +serialized and transmitted in the HTTP response. + +The default implementation is the `TokenResponseGenerator` class. You can customize the behavior of the token endpoint +by providing your own implementation of the `ITokenResponseGenerator` to the ASP.NET Core service provider. + +To create a customized implementation of `ITokenResponseGenerator`, we recommend that you create a class that derives +from the default implementation. Your custom implementation should override the appropriate virtual methods of the +default implementation and add your custom behavior to those overrides, possibly calling the base methods first and then +manipulating their results. + +## ITokenResponseGenerator + +The `ITokenResponseGenerator` contains a single method to process validated token requests and return token responses. + +* **`ProcessInteractionAsync`** + + Returns the `TokenResponse` based on the `ValidatedTokenRequest`. + +## TokenResponseGenerator + +The default implementation of the `ITokenResponseGenerator` contains virtual methods that can be overridden to customize +particular behavior for particular token requests. + +* **`ProcessAsync`** + + Returns the `TokenResponse` for any `TokenRequestValidationResult`. + +* **`ProcessClientCredentialsRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from the client credentials flow. + +* **`ProcessPasswordRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from the resource owner password flow. + +* **`ProcessAuthorizationCodeRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from the authorization code flow. + +* **`ProcessRefreshTokenRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from the refresh token flow. + +* **`ProcessDeviceCodeRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from the device code flow. + +* **`ProcessCibaRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from the CIBA flow. + +* **`ProcessExtensionGrantRequestAsync`** + + Returns the `TokenResponse` for a `TokenRequestValidationResult` from an extension grant. + +* **`CreateAccessTokenAsync`** + + Creates an access token and optionally a refresh token. + + +* **`CreateIdTokenFromRefreshTokenRequestAsync`** + + Creates an ID token in a refresh token request. + +## TokenResponse + +The `TokenResponse` class represents the data that will be included in the body of the response returned from the token +endpoint. It contains properties for the various tokens that can be returned, the scope and expiration of the access +token, and a mechanism for adding custom properties to the result. Omitting property values will cause the entire +property to be absent from the response. + +* **`IdentityToken`** + + The identity token. + +* **`AccessToken`** + + The access token. + +* **`RefreshToken`** + + The refresh token. + +* **`AccessTokenLifetime`** + + The access token lifetime in seconds. + +* **`Scope`** + + The scope. + +* **`Custom`** + + A dictionary of strings to objects that will be serialized to json and added to the token response. diff --git a/astro/src/content/docs/identityserver/reference/v8/services/_meta.yml b/astro/src/content/docs/identityserver/reference/v8/services/_meta.yml new file mode 100644 index 000000000..03245dbd5 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/services/_meta.yml @@ -0,0 +1,2 @@ +label: "Services" +collapsed: true \ No newline at end of file diff --git a/astro/src/content/docs/identityserver/reference/v8/services/ciba-interaction-service.md b/astro/src/content/docs/identityserver/reference/v8/services/ciba-interaction-service.md new file mode 100644 index 000000000..e0b49522b --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/services/ciba-interaction-service.md @@ -0,0 +1,66 @@ +--- +title: "Backchannel Authentication Interaction Service" +description: Documentation for the IBackchannelAuthenticationInteractionService interface which provides services for accessing and completing CIBA login requests. +sidebar: + label: Backchannel Authentication Interaction + order: 80 +redirect_from: + - /identityserver/v5/reference/services/ciba_interaction_service/ + - /identityserver/v6/reference/services/ciba_interaction_service/ + - /identityserver/reference/services/ciba-interaction-service/ +--- + +#### Duende.IdentityServer.Services.IBackchannelAuthenticationInteractionService + +The `IBackchannelAuthenticationInteractionService` interface provides services for a user to access or complete a login +requests for [CIBA](/identityserver/ui/ciba.md). +It is available from the dependency injection system and would normally be injected as a constructor parameter into your +MVC controllers for the user interface of IdentityServer. + +## IBackchannelAuthenticationInteractionService APIs + +All async methods accept a `CancellationToken ct` parameter. + +* **`GetPendingLoginRequestsForCurrentUserAsync(CancellationToken ct)`** + + Returns an `IReadOnlyCollection` representing pending login requests for the current user. + +* **`GetLoginRequestByInternalIdAsync(string id, CancellationToken ct)`** + + Returns the [BackchannelUserLoginRequest](/identityserver/reference/v8/models/ciba-login-request) object for the id. + +* **`CompleteLoginRequestAsync(CompleteBackchannelLoginRequest completionRequest, CancellationToken ct)`** + + Completes the login request with the provided `CompleteBackchannelLoginRequest` response for the current user or the + subject passed. + +### CompleteBackchannelLoginRequest + +Models the data needed for a user to complete a backchannel authentication request. + +* **`InternalId`** + + The internal store id for the request. + +* **`ScopesValuesConsented`** + + Gets or sets the scope values consented to. + Setting any scopes grants the login request. + Leaving the scopes null or empty denies the request. + +* **`Description`** + + Gets or sets the optional description to associate with the consent. + +* **`Subject`** + + The subject for which the completion is being made. + This allows more claims to be associated with the request that was identified on the backchannel authentication + request. + If not provided, then the `IUserSession` service will be consulting to obtain the current subject. + +* **`SessionId`** + + The session id to associate with the completion request if the Subject is provided. + If the Subject is not provided, then this property is ignored in favor of the session id provided by the + `IUserSession` service. diff --git a/astro/src/content/docs/identityserver/reference/v8/services/ciba-user-notification.md b/astro/src/content/docs/identityserver/reference/v8/services/ciba-user-notification.md new file mode 100644 index 000000000..344eb03b5 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/services/ciba-user-notification.md @@ -0,0 +1,24 @@ +--- +title: "Backchannel Authentication User Notification Service" +description: Documentation for the IBackchannelAuthenticationUserNotificationService interface which is used to notify users when a CIBA login request has been made. +sidebar: + label: Backchannel Authentication User Notification + order: 90 +redirect_from: + - /identityserver/v5/reference/services/ciba_user_notification/ + - /identityserver/v6/reference/services/ciba_user_notification/ + - /identityserver/reference/services/ciba-user-notification/ +--- + +#### Duende.IdentityServer.Services.IBackchannelAuthenticationUserNotificationService + +The `IBackchannelAuthenticationUserNotificationService` interface is used to contact users when +a [CIBA](/identityserver/ui/ciba.md) login request has been made. +To use CIBA, you are expected to implement this interface and register it in the ASP.NET Core service provider. + +## IBackchannelAuthenticationUserNotificationService APIs + +* **`SendLoginRequestAsync(BackchannelUserLoginRequest request, CancellationToken ct)`** + + Sends a notification for the user to login via + the [BackchannelUserLoginRequest](/identityserver/reference/v8/models/ciba-login-request.md) parameter. diff --git a/astro/src/content/docs/identityserver/reference/v8/services/device-flow-interaction-service.md b/astro/src/content/docs/identityserver/reference/v8/services/device-flow-interaction-service.md new file mode 100644 index 000000000..cd9c08b47 --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/services/device-flow-interaction-service.md @@ -0,0 +1,51 @@ +--- +title: "Device Flow Interaction Service" +description: Documentation for the IDeviceFlowInteractionService interface which provides services for user interfaces to communicate with IdentityServer during device flow authorization. +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: Device Flow Interaction + order: 65 +redirect_from: + - /identityserver/v5/reference/services/device_flow_interaction_service/ + - /identityserver/v6/reference/services/device_flow_interaction_service/ + - /identityserver/reference/services/device-flow-interaction-service/ +--- + +#### Duende.IdentityServer.Services.IDeviceFlowInteractionService + +The `IDeviceFlowInteractionService` interface is intended to provide services to be used by the user interface to +communicate with Duende IdentityServer during device flow authorization. +It is available from the dependency injection system and would normally be injected as a constructor parameter into your +MVC controllers for the user interface of IdentityServer. + +## IDeviceFlowInteractionService APIs + +All async methods accept a `CancellationToken ct` parameter. + +* **`GetAuthorizationContextAsync(string userCode, CancellationToken ct)`** + + Returns the `DeviceFlowAuthorizationRequest` based on the `userCode` passed to the login or consent pages. + +* **`HandleRequestAsync(string userCode, ConsentResponse consent, CancellationToken ct)`** + + Completes device authorization for the given `userCode`. + +## DeviceFlowAuthorizationRequest + +* **`ClientId`** + + The client identifier that initiated the request. + +* **`ScopesRequested`** + + The scopes requested from the authorization request. + +## DeviceFlowInteractionResult + +* **`IsError`** + + Specifies if the authorization request errored. + +* **`ErrorDescription`** + + Error description upon failure. diff --git a/astro/src/content/docs/identityserver/reference/v8/services/interaction-service.md b/astro/src/content/docs/identityserver/reference/v8/services/interaction-service.md new file mode 100644 index 000000000..f1f7312dd --- /dev/null +++ b/astro/src/content/docs/identityserver/reference/v8/services/interaction-service.md @@ -0,0 +1,247 @@ +--- +title: "IdentityServer Interaction Service" +description: Documentation for the IIdentityServerInteractionService interface which provides services for user interfaces to communicate with IdentityServer for authorization, consent, logout, and other user interactions. +date: 2020-09-10T08:22:12+02:00 +sidebar: + label: IdentityServer Interaction + order: 60 +redirect_from: + - /identityserver/v5/reference/services/interaction_service/ + - /identityserver/v6/reference/services/interaction_service/ + - /identityserver/reference/services/interaction-service/ +--- + +#### Duende.IdentityServer.Services.IIdentityServerInteractionService + +The `IIdentityServerInteractionService` interface is intended to provide services to be used by the user interface to +communicate with IdentityServer, mainly pertaining to user interaction. +It is available from the dependency injection system and would normally be injected as a constructor parameter into your +MVC controllers for the user interface of IdentityServer. + +## IIdentityServerInteractionService APIs + +All async methods accept a `CancellationToken ct` parameter. + +* **`GetAuthorizationContextAsync(string? returnUrl, CancellationToken ct)`** + + Returns the `AuthorizationRequest` based on the `returnUrl` passed to the login or consent pages. + +* **`IsValidReturnUrl(string? returnUrl)`** + + Indicates if the `returnUrl` is a valid URL for redirect after login or consent. + +* **`GetErrorContextAsync(string? errorId, CancellationToken ct)`** + + Returns the `ErrorMessage` based on the `errorId` passed to the error page. + +* **`GetLogoutContextAsync(string? logoutId, CancellationToken ct)`** + + Returns the `LogoutRequest` based on the `logoutId` passed to the logout page. + +* **`CreateLogoutContextAsync(CancellationToken ct)`** + + Used to create a `logoutId` if there is not one presently. + This creates a cookie capturing all the current state needed for signout and the `logoutId` identifies that cookie. + This is typically used when there is no current `logoutId` and the logout page must capture the current user's state + needed for sign-out prior to redirecting to an external identity provider for signout. + The newly created `logoutId` would need to be roundtripped to the external identity provider at signout time, and then + used on the signout callback page in the same way it would be on the normal logout page. + +* **`GrantConsentAsync(AuthorizationRequest request, ConsentResponse consent, CancellationToken ct, string? subject = null)`** + + Accepts a `ConsentResponse` to inform IdentityServer of the user's consent to a particular `AuthorizationRequest`. + +* **`DenyAuthorizationAsync(AuthorizationRequest request, AuthorizationError error, CancellationToken ct, string? errorDescription = null)`** + + Accepts a `AuthorizationError` to inform IdentityServer of the error to return to the client for a particular + `AuthorizationRequest`. + +* **`GetAllUserGrantsAsync(CancellationToken ct)`** + + Returns an `IReadOnlyCollection` for the user. These represent a user's consent or a client's access to a user's + resource. + +* **`RevokeUserConsentAsync(string? clientId, CancellationToken ct)`** + + Revokes all of a user's consents and grants for a client. + +* **`RevokeTokensForCurrentSessionAsync(CancellationToken ct)`** + + Revokes all of a user's consents and grants for clients the user has signed in to during their current session. + +## Returned models + +The above methods return various models. + +### AuthorizationRequest + +* **`Client`** + + The client that initiated the request. + +* **`RedirectUri`** + + The URI to redirect the user to after successful authorization. + +* **`DisplayMode`** + + The display mode passed from the authorization request. + +* **`UiLocales`** + + The UI locales passed from the authorization request. + +* **`IdP`** + The external identity provider requested. + This is used to bypass home realm discovery (HRD). + This is provided via the "idp:" prefix to the `acr_values` parameter on the authorize request. + +* **`Tenant`** + + The tenant requested. + This is provided via the "tenant:" prefix to the `acr_values` parameter on the authorize request. + +* **`LoginHint`** + + The expected username the user will use to login. + This is requested from the client via the `login_hint` parameter on the authorize request. + +* **`PromptMode`** + + The prompt mode requested from the authorization request. + +* **`AcrValues`** + + The acr values passed from the authorization request. + +* **`ValidatedResources`** + + The `ResourceValidationResult` which represents the validated resources from the authorization request. + +* **`Parameters`** + + The entire parameter collection passed to the authorization request. + +* **`RequestObjectValues`** + + The validated contents of the request object (if present). + +### ResourceValidationResult + +* **`Resources`** + + The resources of the result. + +* **`ParsedScopes`** + + The parsed scopes represented by the result. + +* **`RawScopeValues`** + + The original (raw) scope values represented by the validated result. + +### ErrorMessage + +* **`Error`** + + The error code. + +* **`ErrorDescription`** + + The error description. + +* **`DisplayMode`** + + The display mode passed from the authorization request. + +* **`UiLocales`** + + The UI locales passed from the authorization request. + +* **`RequestId`** + + The per-request identifier. This can be used to display to the end user and can be used in diagnostics. + +* **`ClientId`** + + The client id making the request (if available). + +* **`RedirectUri`** + + The redirect URI back to the client (if available). + +### LogoutRequest + +* **`ClientId`** + + The client identifier that initiated the request. + +* **`PostLogoutRedirectUri`** + + The URL to redirect the user to after they have logged out. + +* **`SessionId`** + + The user's current session id. + +* **`SignOutIFrameUrl`** + + The URL to render in an `