Skip to content
Duende Software Docs
We just launched Duende IdentityServer v7.2.0 and BFF v3.0. Check it out!

Glossary

The glossary below provides definitions and explanations of commonly used terms and features within the security and identity management domain. Explore each term to gain a deeper understanding of its functionality and relevance.

Client

Section titled “Client”

A client is a piece of software that requests tokens from your IdentityServer - either for authenticating a user ( requesting an identity token) or for accessing a resource (requesting an access token). A client must be first registered with your IdentityServer before it can request tokens and is identified by a unique client ID.

There are many different client types, e.g. web applications, native mobile or desktop applications, SPAs, server processes, etc.

Documentation Learn more about clients

Automatic Key Management

Section titled “Automatic Key Management”

License: Business

The automatic key management feature creates and manages key material for signing tokens and follows best practices for handling this key material, including storage and rotation.

More Details Automatic Key Management post
Documentation Learn more about key rotation

Server-side Session Management

Section titled “Server-side Session Management”

License: Business

The server-side session management feature extends the ASP.NET Core cookie authentication handler to maintain a user’s authentication session state in a server-side store, rather than putting it all into a self-contained cookie. Using server-side sessions enables more architectural features in your IdentityServer, such as:

  • query and manage active user sessions (e.g. from an administrative app).
  • detect session expiration and perform cleanup, both in IdentityServer and in client apps.
  • centralize and monitor session activity in order to achieve a system-wide inactivity timeout.
More Details Server-side Session Management post
Documentation Learn more about Server-side Session Management

BFF Security Framework

Section titled “BFF Security Framework”

License: Business

The Duende BFF (Backend for Frontend) security framework packages up guidance and the necessary components to secure browser-based frontends (e.g. SPAs or Blazor WASM applications) with ASP.NET Core backends.

More Details BFF Security Framework post
Documentation Learn more about BFF

Dynamic Client Registration

Section titled “Dynamic Client Registration”

License: Business

Implementation of RFC 8707. Provides a standards-based endpoint to register clients and their configuration.

Documentation Learn more about Dynamic Client Registration

Pushed Authorization Requests

Section titled “Pushed Authorization Requests”

License: Business

Implementation of RFC 9126. Provides a more secure way to start a browser-based token/authentication request.

Documentation Learn more about Pushed Authorization Requests

Dynamic Authentication Providers

Section titled “Dynamic Authentication Providers”

License: Enterprise

The dynamic configuration feature allows dynamic loading of configuration for OpenID Connect providers from a store. This is designed to address the performance concern and allowing changes to the configuration to a running server.

More Details Dynamic Authentication Providers post
Documentation Learn more about Dynamic Authentication Providers

Resource Isolation

Section titled “Resource Isolation”

License: Enterprise

The resource isolation feature allows a client to request access tokens for an individual resource server. This allows API-specific features such as access token encryption and isolation of APIs that are not in the same trust boundary.

More Details Resource Isolation post
Documentation Learn more about Resource Isolation

Client-Initiated Backchannel Authentication (CIBA)

Section titled “Client-Initiated Backchannel Authentication (CIBA)”

License: Enterprise

Duende IdentityServer supports the Client-Initiated Backchannel Authentication Flow (also known as CIBA). This allows a user to log in with a higher security device (e.g. their mobile phone) than the device on which they are using an application (e.g. a public kiosk). CIBA is one of the requirements to support the Financal-grade API compliance.

More Details Client-Initiated Backchannel Authentication post
Documentation Learn more about CIBA

Proof-of-Possession At The Application Layer / DPoP

Section titled “Proof-of-Possession At The Application Layer / DPoP”

License: Enterprise

A mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.

Documentation Learn more about Proof-of-Possession

Single Deployment

Section titled “Single Deployment”

A single deployment acts as a single OpenID Connect / OAuth authority hosted at a single URL. It can consist of multiple physical or virtual nodes for load-balancing or fail-over purposes.

Multiple Deployment

Section titled “Multiple Deployment”

Can be either completely independent single deployments, or a single deployment that acts as multiple authorities.

Multiple Authorities

Section titled “Multiple Authorities”

A single logical deployment that acts as multiple logical token services on multiple URLs or host names (e.g. for branding, isolation or multi-tenancy reasons).

Standard Developer Support

Section titled “Standard Developer Support”

Online developer community forum for Duende Software product issues and bugs.

Duende Developer Community Learn more about the Duende Developer Community

Priority Developer Support

Section titled “Priority Developer Support”

Helpdesk system with guaranteed response time for Duende Software product issues and bugs.

More Details Download the Priority Support License PDF