IdentityServer Sample Code: Sample projects for Duende IdentityServer ----- # Duende IdentityServer Samples > A collection of runnable samples demonstrating various IdentityServer scenarios with source code available in the GitHub repository. We have a collection of runnable samples that show how to use IdentityServer and configure client applications in a variety of scenarios. The source code for the samples is in our [GitHub repository](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7). [Samples Source Code on GitHub ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7)GitHub Repository for the Duende IdentityServer samples Most of the samples include both their own IdentityServer implementation and the clients and APIs needed to demonstrate the illustrated functionality. The [*Basics*](/identityserver/samples/basics/) samples use a [shared IdentityServer implementation](https://github.com/DuendeSoftware/samples/tree/main/IdentityServer/v7/IdentityServerHost). Some samples use our public [demo instance of IdentityServer](https://demo.duendesoftware.com/). ## Feedback [Section titled “Feedback”](#feedback) You can [join the Duende developer community](https://github.com/DuendeSoftware/community/discussions) if you are looking for a particular sample and can’t find it here. [Developer Community Forum ](https://github.com/DuendeSoftware/community/discussions)Join the Duende Developer Community for discussions and feedback ----- # ASP.NET Identity Integration > A sample demonstrating how to integrate ASP.NET Identity with Duende IdentityServer using minimal code to create a working user management system with OIDC capabilities. This section contains a collection of samples when building a Duende IdentityServer solution that uses [ASP.NET Identity](/identityserver/aspnet-identity/) for managing the identity database for users of IdentityServer. ### ASP.NET Identity [Section titled “ASP.NET Identity”](#aspnet-identity) This sample shows using ASP.NET Identity with Duende IdentityServer. The intent was to show the least amount of code needed to get a working sample that used Microsoft’s ASP.NET Identity user management library. The first step in creating the sample was to create a new project that used the ASP.NET Identity templates from Visual Studio (*“Individual Accounts”* for the authentication type). This provides all the out-of-the-box features from ASP.NET Identity for user management with only minor modifications, which are described below. Then Duende IdentityServer was added to add OIDC/OAuth 2.0 capabilities to the application. Only the minimal configuration was done to get Duende IdentityServer functional for this sample. Finally, another project was added which acts as a OIDC client application to exercise the OIDC login (and logout) capabilities. The changes to the template in the ASP.NET Identity project (i.e. “IdentityServerAspNetIdentity”): * Sqlite support was added, replacing the default of SqlServer. * Duende IdentityServer was configured in `Startup.cs` with the necessary information about the client application, and the OIDC scopes it would be requesting. * Debug level logging was enabled for the “Duende” prefix to allow viewing the logging emitted during request processing. * In the middleware pipeline, `UseIdentityServer` replaced `UseAuthentication`. * The logout page was scaffolded to allow modification (located in Areas/Identity/Pages/Account/Logout.cshtml). The default logout page from the template is unaware of OIDC single signout, so this feature was added. In the client application: * A simple ASP.NET Core Razor Web Application was used as the starting point. * In `Startup.cs` the standard cookie and OIDC authentication configuration was added. * A secure page (`Secure.cshtml`) that required an authenticated user will render the logged-in user’s claim in the page. * The index page (`Index.cshtml`) was modified to allow a POST to trigger OIDC logout. * A logout button was added to trigger the POST. [ASP.NET Identity Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/AspNetIdentity)GitHub Repository for the ASP.NET Identity Sample ### ASP.NET Identity Passkey .NET 10 [Section titled “ASP.NET Identity Passkey ”.NET 10](#aspnet-identity-passkey) This sample shows how to port passkey support from a .NET 10 Blazor App project template into Duende IdentityServer. It is based on the [*Duende IdentityServer with ASP.NET Core Identity*](/identityserver/overview/packaging/#duende-identityserver-with-aspnet-core-identity) project template, and adds the necessary changes to support passkey authentication: * In `HostingExtensions.cs`, the ASP.NET Identity schema is set to `IdentitySchemaVersions.Version3`. * An Entity Framework Core migration is added to generate the `AspNetUserPasskeys` table in the database. * The `Passkeys/PasskeyEndpointRouteBuilderExtensions.cs` file registers required minimal API endpoints for passkey creation and passkey request options. The extension method is called in `HostingExtensions.cs`. * The `Passkeys/PasskeyOperation.cs`, `Passkeys/PasskeySubmitTagHelper.cs` and `wwwroot/js/passkey-submit.js`files define a tag helper and web component to handle passkey creation and authentication. * `Pages/_ViewImports.cshtml` is updated to load the tag helper. * The `Models/PasskeyInputModel.cs` file is added and used in the `/Login/InputModel.cs` model. * The `Login/Index.cshtml` and `Login/Index.cshtml.cs` file include the necessary logic to handle passkey authentication. * The `Pages/Account/Passkeys.cshtml`, `Pages/Account/Passkeys.cshtml.cs`,`Pages/Account/RenamePasskey.cshtml`, and `Pages/Account/RenamePasskey.cshtml.cs` files add functionality to register a passkey credential and rename a passkey. [ASP.NET Identity Passkey Sample ](https://github.com/DuendeSoftware/samples/tree/main/IdentityServer/v7/AspNetIdentityPasskeys)GitHub Repository for the ASP.NET Identity Passkey Sample ----- # Basics > A collection of common IdentityServer scenarios including client credentials, JWT-based authentication, reference tokens, MVC clients, token management, and back-channel logout notifications. This section contains a collection of common scenarios when building a Duende IdentityServer solution. ### Client Credentials [Section titled “Client Credentials”](#client-credentials) This sample shows how to use the `client_credentials` grant type. This is typically used for machine to machine communication. Key takeaways: * how to request a token using client credentials * how to use a shared secret * how to use an access token [Client Credentials Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/ClientCredentials)GitHub Repository for the Client Credentials Sample ### JWT-based Client Authentication [Section titled “JWT-based Client Authentication”](#jwt-based-client-authentication) This sample shows how to use the `client_credentials` grant type with JWT-based client authentication. This authentication method is more recommended than shared secrets. Key takeaways: * create a JWT for client authentication * use a JWT as a client secret replacement * configure IdentityServer to accept a JWT as a client secret [JWT-based Client Authentication Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/ClientCredentials)GitHub Repository for the JWT-based Client Authentication Sample ### Introspection & Reference Tokens [Section titled “Introspection & Reference Tokens”](#introspection--reference-tokens) This sample shows how to use the reference tokens instead of JWTs. Things of interest: * the client registration uses `AccessTokenType` of value `Reference` * the client requests `scope2` - this scope is part of an API resource. * API resources allow defining API secrets, which can then be used to access the introspection endpoint * The API supports both JWT and reference tokens, this is achieved by forwarding the token to the right handler at runtime Key takeaways: * configuring a client to receive reference tokens * set up an API resource with an API secret * configure an API to accept and validate reference tokens [Introspection & Reference Tokens Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/Introspection)GitHub Repository for the Introspection & Reference Tokens Sample ### MVC Client [Section titled “MVC Client”](#mvc-client) This sample shows how to use the `authorization_code` grant type. This is typically used for interactive applications like web applications. Key takeaways: * configure an MVC client to use IdentityServer * access tokens in ASP.NET Core’s authentication session * call an API * manually refresh tokens [MVC Client Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/MvcBasic)GitHub Repository for the MVC Client Sample ### MVC Client with automatic Access Token Management [Section titled “MVC Client with automatic Access Token Management”](#mvc-client-with-automatic-access-token-management) This sample shows how to use [Duende.AccessTokenManagement](/accesstokenmanagement) to automatically manage access tokens. The sample uses a special client in the sample IdentityServer with a short token lifetime (75 seconds). When repeating the API call, make sure you inspect the returned `iat` and `exp` claims to observer how the token is slides. You can also turn on debug tracing to get more insights in the token management library. Key takeaways: * use [Duende.AccessTokenManagement](/accesstokenmanagement) to automate refreshing tokens [MVC Client with automatic Access Token Management Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/MvcTokenManagement)GitHub Repository for the MVC Client with automatic Access Token Management Sample ### MVC Client with JAR and JWT-based Authentication [Section titled “MVC Client with JAR and JWT-based Authentication”](#mvc-client-with-jar-and-jwt-based-authentication) This sample shows how to use signed authorize requests, and JWT-based authentication for clients in MVC. It also shows how to integrate that technique with automatic token management. Key takeaways: * use the ASP.NET Core extensibility points to add signed authorize requests and JWT-based authentication * use JWT-based authentication for automatic token management * configure a client in IdentityServer to share key material for both front- and back-channel [MVC Client with JAR and JWT-based Authentication Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/MvcJarJwt)GitHub Repository for the MVC Client with JAR and JWT-based Authentication Sample ### MVC Client with Back-Channel Logout Notifications [Section titled “MVC Client with Back-Channel Logout Notifications”](#mvc-client-with-back-channel-logout-notifications) This sample shows how to use back-channel logout notifications. Key takeaways: * how to implement the back-channel notification endpoint * how to leverage events on the cookie handler to invalidate the user session [MVC Client with Back-Channel Logout Notifications Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/MvcBackChannelLogout)GitHub Repository for the MVC Client with Back-Channel Logout Notifications Sample ### MVC Client with Pushed Authorization Requests [Section titled “MVC Client with Pushed Authorization Requests”](#mvc-client-with-pushed-authorization-requests) This sample shows how to use [Pushed Authorization Requests](/identityserver/tokens/par/) (PAR). Key takeaways: * how to enable PAR in the client configuration * how to add support for PAR to the ASP.NET OIDC authentication handler. The main idea is to use the events in the handler to push the parameters before redirecting to the authorize endpoint, and then replace the parameters that would normally be sent in that redirect with the resulting request uri. See the `ParOidcEvents.cs` file for more details. [MVC Client with Pushed Authorization Requests Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Basics/MvcPar)GitHub Repository for the MVC Client with Pushed Authorization Requests Sample ----- # Clients > A collection of client technology samples demonstrating how to connect different platforms like .NET 4.8 WebForms, MVC, and .NET MAUI to IdentityServer. This section contains a collection of samples demonstrating various client technologies connecting to Duende IdentityServer. ### Model Context Protocol (MCP) Client [Section titled “Model Context Protocol (MCP) Client”](#model-context-protocol-mcp-client) This sample shows how to secure a Model Context Protocol (MCP) client using OpenID Connect and OAuth 2.0. [Model Context Protocol (MCP) Client Sample ](https://github.com/DuendeSoftware/samples/tree/main/IdentityServer/v7/McpDemo)GitHub Repository for the Model Context Protocol (MCP) Client Sample ### .NET 4.8 Clients [Section titled “.NET 4.8 Clients”](#net-48-clients) This sample shows how to add OpenID Connect code flow with PKCE to a .NET 4.8 WebForms client and a .NET 4.8 MVC Client. Each client can log in, logout, make API requests to a .NET 4.8 WebApi using OAuth, and refresh access tokens. [.NET 4.8 Clients Sample ](https://github.com/DuendeSoftware/Samples/tree/main/various/clients/Owin)GitHub Repository for the .NET 4.8 Clients Sample ### .NET MAUI Client [Section titled “.NET MAUI Client”](#net-maui-client) This sample shows how to use the [IdentityModel.OidcClient](https://github.com/IdentityModel/IdentityModel.OidcClient) open source library to connect a .NET MAUI app to IdentityServer [.NET MAUI Client Sample ](https://github.com/DuendeSoftware/Samples/tree/main/various/clients/Maui)GitHub Repository for the .NET MAUI Client Sample ----- # Configuration API > Samples demonstrating the IdentityServer.Configuration API for Dynamic Client Registration (DCR), permissions management, CI/CD pipeline integration with Personal Access Tokens, and software statement implementation. This section contains a collection of samples demonstrating the configuration API in Duende IdentityServer. ### Dynamic Client Registration [Section titled “Dynamic Client Registration”](#dynamic-client-registration) This sample of the `IdentityServer.Configuration` API shows how to make simple Dynamic Client Registration (DCR) requests. [Dynamic Client Registration Clients Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Configuration/SimpleDcr)GitHub Repository for the Dynamic Client Registration Sample ### Permissions [Section titled “Permissions”](#permissions) This sample of the `IdentityServer.Configuration` API shows how you might make authorization decisions during Dynamic Client Registration (DCR). [Permissions Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Configuration/Permissions)GitHub Repository for the Permissions Sample ### CI/CD Pipeline Using a Personal Access Token [Section titled “CI/CD Pipeline Using a Personal Access Token”](#cicd-pipeline-using-a-personal-access-token) This sample of the IdentityServer.Configuration API shows how you might use Personal Access Tokens to authorize access to the configuration API in a CI/CD pipeline. [CI/CD Pipeline Using a Personal Access Token Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Configuration/PipelineRegistration)GitHub Repository for the CI/CD Pipeline Using a Personal Access Token Sample ### Software Statement [Section titled “Software Statement”](#software-statement) This sample of the IdentityServer.Configuration API shows how you might use a software statement to pass client metadata values used in Dynamic Client Registration. [Software Statement Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Configuration/SoftwareStatement)GitHub Repository for the Software Statement Sample ----- # Diagnostics > Samples demonstrating IdentityServer's diagnostic capabilities with OpenTelemetry integration, including metrics, traces, and logs visualization with .NET Aspire and console tracing. This section contains a collection of samples demonstrating various diagnostics options in Duende IdentityServer. ### Conformance Report v8.0 [Section titled “Conformance Report ”v8.0](#conformance-report) The conformance report assesses your IdentityServer deployment against [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1) and [FAPI 2.0 Security Profile](https://openid.net/specs/fapi-2_0-security-profile.html) specifications. It generates an HTML report of the conformance status of your deployment, accessible via a protected endpoint. In the sample, you can access the report by visiting the `https://localhost:5001/_duende/conformance-report` endpoint. The sample is not intended to showcase all the conformance options. Review the [conformance report documentation](/identityserver/diagnostics/conformance-report/) for more information. [Duende IdentityServer Conformance Report Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v8/IdentityServerHost/)Duende IdentityServer Conformance Report Sample ### OpenTelemetry With .NET Aspire [Section titled “OpenTelemetry With .NET Aspire”](#opentelemetry-with-net-aspire) Duende IdentityServer emits [OpenTelemetry metrics, traces and logs](/identityserver/diagnostics/otel/). This sample uses .NET Aspire to display OpenTelemetry data. The solution contains an IdentityServer host, an API and a web client. The access token lifetime is set to a tiny value to force frequent refresh token flows. Running the sample requires the dotnet aspire workload to be installed with `dotnet workload install aspire`. Run the `Aspire.AppHost` project, it will automatically launch the other projects. This sample is not intended to be a full Aspire sample, it simply uses Aspire as a local standalone tool for displaying traces, logs and metrics. [OpenTelemetry With .NET Aspire Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Diagnostics/Aspire)GitHub Repository for the OpenTelemetry With .NET Aspire Sample ### OpenTelemetry Tracing [Section titled “OpenTelemetry Tracing”](#opentelemetry-tracing) Duende IdentityServer emits [OpenTelemetry traces for input validators, stores and response generators](/identityserver/diagnostics/otel/). The sample shows how to set up OpenTelemetry for console tracing. [OpenTelemetry Tracing Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/Diagnostics/Otel)GitHub Repository for the OpenTelemetry Tracing Sample ----- # Miscellaneous > A collection of specialized IdentityServer samples covering Azure Functions security, mutual TLS with Kestrel, DPoP for proof of possession, server-side session management, and session migration techniques. This section contains a collection of miscellaneous samples demonstrating Duende IdentityServer. ### Securing Azure Functions [Section titled “Securing Azure Functions”](#securing-azure-functions) This sample shows how to parse and validate a JWT token issued by IdentityServer inside an Azure Function. [Securing Azure Functions Sample ](https://github.com/DuendeSoftware/Samples/tree/main/various/JwtSecuredAzureFunction)GitHub Repository for the Securing Azure Functions Sample ### Mutual TLS Using Kestrel [Section titled “Mutual TLS Using Kestrel”](#mutual-tls-using-kestrel) This sample shows how to use Kestrel using MTLS for [client authentication](/identityserver/tokens/client-authentication/) and [proof of possession](/identityserver/tokens/pop/) API access. Using Kestrel will not likely be how MTLS is configured in a production environment, but it is convenient for local testing. This approach requires DNS entries for `mtls.localhost` and `api.localhost` to resolve to `127.0.0.1`, and is easily configured by modifying your local `hosts` file. [Mutual TLS Using Kestrel Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/MTLS)GitHub Repository for the Mutual TLS Using Kestrel Sample ### DPoP [Section titled “DPoP”](#dpop) This sample shows how to access APIs using DPoP for [proof of possession](/identityserver/tokens/pop/#proof-of-possession-styles). It contains two different clients: * one that uses client credentials and DPoP tokens * another that is an interactive ASP.NET Core app using code flow to obtain the DPoP bound tokens Both clients demonstrate the use of the `Duende.AccessTokenManagement` library with DPoP. The sample also contains an API using the `Duende.AspNetCore.Authentication.JwtBearer` library to accept and validate DPoP bound access tokens. [DPoP Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/DPoP)GitHub Repository for the DPoP Sample ### Session Management [Section titled “Session Management”](#session-management) This sample shows how to enable [server-side sessions](/identityserver/ui/server-side-sessions/) and configure the basic settings. The sample requires all three projects to be run at once. Things of note: * In the `IdentityServerHost` project in `Startup.cs`, server-side sessions are enabled with a call to `AddServerSideSessions`. This only uses in-memory server-side sessions by default, so restarting the host will lose session data. * Also in `Startup.cs` with the call to `AddIdentityServer` various settings are configured on the `ServerSideSessions` options object to control the behavior. * The client application configured in `Clients.cs` has `CoordinateLifetimeWithUserSession` enabled, which causes its refresh token to slide the server-side session for the user. * When launching the `IdentityServerHost` project, you should visit the `~/serversidesessions` page to see the active sessions. Note that there is no authorization on this page (so consider adding it based on your requirements). * Once you log in, you should see a user’s session in the list. * As the client app refreshes its access token, you should see the user’s session expiration being extended. * When you revoke the user’s session, the user should be logged out of the client app. [Session Management Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement)GitHub Repository for the Session Management Sample ### Session Migration [Section titled “Session Migration”](#session-migration) This sample shows how to do seamless migration of existing cookie-based session when enabling server side sessions. Normally when server side sessions are enabled, all existing logged-in sessions are invalidated and the users are forced to log in again. If the application has sessions with long lifetimes where it would be a problem to have all users log in again the sessions can be migrated. Instructions for running the sample are in the HostingExtensions.cs file. [Session Migration Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionMigration)GitHub Repository for the Session Migration Sample ----- # Requesting tokens > Samples demonstrating token-related features in IdentityServer, including extension grants for Token Exchange implementation and Personal Access Tokens (PAT) for API integrations without full OAuth clients. This section contains a collection of samples demonstrating Duende IdentityServer token-related features.. ### Extension grants And Token Exchange [Section titled “Extension grants And Token Exchange”](#extension-grants-and-token-exchange) This sample shows an implementation of the Token Exchange specification [RFC 8693](https://tools.ietf.org/html/rfc8693) via the [Duende IdentityServer extension grant mechanism](/identityserver/tokens/extension-grants/). [Extension grants And Token Exchange Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/TokenExchange)GitHub Repository for the Extension grants And Token Exchange Sample ### Personal Access Tokens (PAT) [Section titled “Personal Access Tokens (PAT)”](#personal-access-tokens-pat) This sample shows how to provide a self-service UI to create access tokens. This is a common approach to enable integrations with APIs without having to create full-blown OAuth clients. When combining PATs with the [reference token](/identityserver/tokens/reference/) feature, you also get automatic validation and revocation support. This is very similar to API keys, but does not require custom infrastructure. The sample also contains an API that accepts both JWT and reference tokens. [Personal Access Tokens (PAT) Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/PAT)GitHub Repository for the Personal Access Tokens (PAT) Sample ----- # User Interaction > Samples demonstrating customization of IdentityServer's interactive pages, including custom profile services, step-up authentication, SPA-style login pages, dynamic identity providers, CIBA implementation, and Windows authentication integration. These samples illustrate customization of the [interactive pages](/identityserver/ui) used in your Duende IdentityServer. ### Custom Profile Service [Section titled “Custom Profile Service”](#custom-profile-service) This sample shows how to create a [custom profile service](/identityserver/fundamentals/claims/) to control what claims are issued from your IdentityServer. The majority of the sample is captured in `CustomProfileService.cs` in the `IdentityServer` project. Also, another part of the sample shows how to collect a custom claim during the login workflow when using an external login provider (this is done in the `ExternalLogin/Callback.cshtml.cs` processing logic). This claim value is then stored in the user’s session, and is then ultimately copied into the created tokens via the custom profile service logic. [Custom Profile Service Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/ProfileService)GitHub Repository for the Custom Profile Service Sample ### Step Up [Section titled “Step Up”](#step-up) This sample shows how to implement [step up](https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/). It consists of three projects: * IdentityServerHost is a token server implemented with Duende IdentityServer. * Api is a protected resource that uses the IdentityServerHost as its authority and can make Step-Up responses when requests don’t meet its authentication requirements. * Client is a client application that uses IdentityServerHost to login and makes requests to the Api. To run the demo, start all three projects and navigate to the Client application at `https://localhost:6001`. From there, you can click on links to pages that will trigger step up in various ways. For example, you could * Click on the secure page to trigger login. * Authenticate with user alice, password alice. * Note that alice does not require MFA to log in. * Click on the MFA page to make an API request that requires MFA. * This will trigger step up for Alice, who should be shown a fake MFA page at IdentityServer before returning to the Client application. * Finally, click on the Recent Auth page to make an API request that requires an authentication in the past minute. The page will show the age of the authentication. * It may be necessary to refresh the page after a minute has passed to trigger step up. From there, you can experiment with other interactions. You can go to the Recent Auth with MFA page that has both authentication requirements, or try the user bob, who always requires MFA. [Step Up Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/StepUp)GitHub Repository for the Step Up Sample ### SPA-style Login Page [Section titled “SPA-style Login Page”](#spa-style-login-page) This sample shows an example of building the interactive pages (login, consent, logout, and error) as client-rendered ( typical of SPAs), rather than server-rendered. Since there are many different SPA frameworks, the actual pages are coded using vanilla JavaScript. Key takeaways: * how to handle the necessary request parameters * how to contact the backend of IdentityServer to implement the various workflows (login, logout, etc.) * how to implement a backend to support the frontend pages [SPA-style Login Page Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/SpaLoginUi)GitHub Repository for the SPA-style Login Page Sample ### Dynamic Providers [Section titled “Dynamic Providers”](#dynamic-providers) The [dynamic providers](/identityserver/ui/login/dynamicproviders/) feature allows for loading OpenID Connect identity provider configuration dynamically from a store. This sample sets up a simple database with one dynamic OIDC provider. Some key points about the `IdentityServer` project in the sample: * Execute the command “dotnet run /seed” to create and populate the Sqlite database. * `SeedData.cs` has the code to populate the dynamic provider in the database. * In the `Account/Login/Index.cshtml.cs` file, the code to build the UI to list the dynamic providers is in the `BuildModelAsync` helper. It uses the `IIdentityProviderStore` to query the dynamic provider database. [Dynamic Providers Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/DynamicProviders)GitHub Repository for the Dynamic Providers Sample ### Adding Other Protocol Types To Dynamic Providers [Section titled “Adding Other Protocol Types To Dynamic Providers”](#adding-other-protocol-types-to-dynamic-providers) The [dynamic providers](/identityserver/ui/login/dynamicproviders/) feature allows for loading OpenID Connect identity provider configuration dynamically from a store. This sample shows how to extend the dynamic providers feature to support additional protocol types, and specifically WS-Federation. Key takeaways: * how to define a custom identity provider model * how to map from the custom identity provider model to the protocol options * how to register the custom protocol type with IdentityServer * how to register the custom protocol type with IdentityServer * how to use the existing provider store to persist custom provider model data [Adding Other Protocol Types To Dynamic Providers Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/WsFederationDynamicProviders)Adding Other Protocol Types To Dynamic Providers Sample ### Using Sustainsys.Saml2 With Dynamic Providers [Section titled “Using Sustainsys.Saml2 With Dynamic Providers”](#using-sustainsyssaml2-with-dynamic-providers) The [Sustainsys.Saml2](https://saml2.sustainsys.com) open source library adds Saml2 protocol support to ASP.NET Core. It can be used together with the Duende dynamic identity providers feature. The sample is minimalistic to show a simple Saml2 config and does not handle the complete set of Saml2 config options. [Using Sustainsys.Saml2 With Dynamic Providers Sample ](https://github.com/Sustainsys/Saml2.Samples/tree/main/v2/DuendeDynamicProviders)GitHub Repository for the Using Sustainsys.Saml2 With Dynamic Providers Sample ### Client Initiated Backchannel Login (CIBA) [Section titled “Client Initiated Backchannel Login (CIBA)”](#client-initiated-backchannel-login-ciba) This sample shows how a client can make [CIBA](/identityserver/ui/ciba/) login requests using Duende IdentityServer. To run the sample, the IdentityServer and API hosts should be started first. Next run the ConsoleCibaClient which will initiate the backchannel login request. The URL the user would receive to log in and approve the request is being written out to the IdentityServer log (visible in the console window). Follow that URL, log in as “alice”, and then approve the login request to allow the client to receive the results. [Client Initiated Backchannel Login (CIBA) Sample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/Ciba)GitHub Repository for the Client Initiated Backchannel Login (CIBA) Sample ### Windows Authentication With IIS Hosting [Section titled “Windows Authentication With IIS Hosting”](#windows-authentication-with-iis-hosting) This sample shows how to use Windows Authentication when hosting your IdentityServer behind IIS (or IIS Express). The salient piece to understand is a new `LoginWithWindows` action method in the `AccountController` from the quickstarts. Windows authentication is triggered, and once the result is determined the main authentication session cookie is created based on the `WindowsIdentity` results. Note there is some configuration in `Startup` with a call to `Configure` (mainly to set `AutomaticAuthentication` to `false`). [Windows Authentication With IIS HostingSample ](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/WindowsAuthentication)GitHub Repository for the Windows Authentication With IIS Hosting Sample