Bump Duende.IdentityServer and Duende.IdentityServer.EntityFramework

[dependabot]

Updated Duende.IdentityServer from 7.4.7 to 8.0.0.

Release notes

Sourced from Duende.IdentityServer's releases.

8.0.0

Duende IdentityServer 8.0

Duende IdentityServer 8.0 targets .NET 10 and marks a significant milestone for the product.

SAML 2.0 is now a first-class protocol alongside OpenID Connect and OAuth 2.0, enabling enterprise and legacy applications to authenticate against your server without requiring separate infrastructure.

This release also introduces a FAPI 2.0/OAuth 2.1 conformance report to help you verify high-security deployments, and delivers substantial internal modernization - including adoption of .NET 10's HybridCache, TimeProvider, nullable reference types, and pervasive cancellation token support - resulting in a cleaner, more maintainable foundation going forward.

---

New Features

SAML 2.0 Identity Provider
IdentityServer can now act as a full SAML 2.0 Identity Provider, allowing enterprise and legacy applications that require SAML to authenticate against your server alongside OpenID Connect clients.

It supports:

• SP-initiated SSO via HTTP-Redirect and HTTP-POST bindings
• Single Logout (SLO) with front-channel notifications
• Per-SP assertion signing
• NameID format support
• AuthnContext class mapping, per-SP claim mappings
• Metadata endpoint

Your existing login UI requires only a small update to the cancellation path. See the SAML 2.0 documentation.

SAML 2.0 External Authentication
IdentityServer can now federate with external SAML 2.0 Identity Providers, letting you use a third-party SAML IdP as an upstream identity source - the same way you'd add Google or Microsoft Entra ID as an external provider. Configure SAML external providers statically or dynamically using the existing dynamic providers mechanism. See Configuring a SAML external provider.

Financial-Grade Security & Conformance Report
A new Duende.IdentityServer.ConformanceReport package assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications and generates an HTML report at a protected endpoint (/_duende/conformance-report). Use it to verify your server is correctly configured for high-security API scenarios. See the Conformance Report documentation.

User Management
IdentityServer 8 integrates with Duende User Management which adds user registration, password management, MFA (TOTP, passkeys), account recovery, and more. See the User Management documentation.

---

Improvements

• Token Cleanup Performance - The token cleanup service now uses a more efficient bulk delete strategy when IOperationalStoreNotification is not registered, reducing database load in high-throughput deployments. MySQL EF Core provider compatibility for PAR entry cleanup is also restored.

• Orphaned Grants Revoked on Session Overwrite - When a server-side session is overwritten (for example, when a user signs in again without signing out first), refresh tokens belonging to the prior session are now automatically revoked. This prevents stale grants from accumulating and remaining valid after re-authentication.

• Quieter Secret Validation Logging - Expected-failure log entries in client and API secret validation have been downgraded from Error to Debug. This reduces noise in production logs where failed secret lookups are a normal part of the secret hashing comparison process.

• Relaxed Audience Validation - Audience validation for private key JWT authentication in strict mode now accepts single-element JSON arrays in addition to scalar string values, improving compatibility with tokens from issuers that always serialize audiences as arrays.

• HTTP 303 Redirects - All redirects from IdentityServer's authorization endpoint now unconditionally use HTTP 303 See Other, aligning with the OAuth 2.0 and OpenID Connect specifications and avoiding issues with intermediaries that treat 302 redirects differently.

• Unified Authorization Context - SAML and OpenID Connect flows now share the same IAuthenticationContext abstraction. Your login page can access protocol-specific context - including SAML-specific details such as RequestedAuthnContext - through a single consistent interface.

... (truncated)

Commits viewable in compare view.

Updated Duende.IdentityServer.EntityFramework from 7.4.7 to 8.0.0.

Release notes

Sourced from Duende.IdentityServer.EntityFramework's releases.

8.0.0

Duende IdentityServer 8.0

Duende IdentityServer 8.0 targets .NET 10 and marks a significant milestone for the product.

SAML 2.0 is now a first-class protocol alongside OpenID Connect and OAuth 2.0, enabling enterprise and legacy applications to authenticate against your server without requiring separate infrastructure.

This release also introduces a FAPI 2.0/OAuth 2.1 conformance report to help you verify high-security deployments, and delivers substantial internal modernization - including adoption of .NET 10's HybridCache, TimeProvider, nullable reference types, and pervasive cancellation token support - resulting in a cleaner, more maintainable foundation going forward.

---

New Features

SAML 2.0 Identity Provider
IdentityServer can now act as a full SAML 2.0 Identity Provider, allowing enterprise and legacy applications that require SAML to authenticate against your server alongside OpenID Connect clients.

It supports:

• SP-initiated SSO via HTTP-Redirect and HTTP-POST bindings
• Single Logout (SLO) with front-channel notifications
• Per-SP assertion signing
• NameID format support
• AuthnContext class mapping, per-SP claim mappings
• Metadata endpoint

Your existing login UI requires only a small update to the cancellation path. See the SAML 2.0 documentation.

SAML 2.0 External Authentication
IdentityServer can now federate with external SAML 2.0 Identity Providers, letting you use a third-party SAML IdP as an upstream identity source - the same way you'd add Google or Microsoft Entra ID as an external provider. Configure SAML external providers statically or dynamically using the existing dynamic providers mechanism. See Configuring a SAML external provider.

Financial-Grade Security & Conformance Report
A new Duende.IdentityServer.ConformanceReport package assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications and generates an HTML report at a protected endpoint (/_duende/conformance-report). Use it to verify your server is correctly configured for high-security API scenarios. See the Conformance Report documentation.

User Management
IdentityServer 8 integrates with Duende User Management which adds user registration, password management, MFA (TOTP, passkeys), account recovery, and more. See the User Management documentation.

---

Improvements

• Token Cleanup Performance - The token cleanup service now uses a more efficient bulk delete strategy when IOperationalStoreNotification is not registered, reducing database load in high-throughput deployments. MySQL EF Core provider compatibility for PAR entry cleanup is also restored.

• Orphaned Grants Revoked on Session Overwrite - When a server-side session is overwritten (for example, when a user signs in again without signing out first), refresh tokens belonging to the prior session are now automatically revoked. This prevents stale grants from accumulating and remaining valid after re-authentication.

• Quieter Secret Validation Logging - Expected-failure log entries in client and API secret validation have been downgraded from Error to Debug. This reduces noise in production logs where failed secret lookups are a normal part of the secret hashing comparison process.

• Relaxed Audience Validation - Audience validation for private key JWT authentication in strict mode now accepts single-element JSON arrays in addition to scalar string values, improving compatibility with tokens from issuers that always serialize audiences as arrays.

• HTTP 303 Redirects - All redirects from IdentityServer's authorization endpoint now unconditionally use HTTP 303 See Other, aligning with the OAuth 2.0 and OpenID Connect specifications and avoiding issues with intermediaries that treat 302 redirects differently.

• Unified Authorization Context - SAML and OpenID Connect flows now share the same IAuthenticationContext abstraction. Your login page can access protocol-specific context - including SAML-specific details such as RequestedAuthnContext - through a single consistent interface.

... (truncated)

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)