Conformance Report
Added in 8.0 (prerelease)
The conformance report assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications, generating an HTML report accessible via a protected endpoint.
Installation
Section titled “Installation”Install the NuGet package:
dotnet add package Duende.IdentityServer.ConformanceReport --prerelease1. Register the Conformance Report
Section titled “1. Register the Conformance Report”Call AddConformanceReport() on the IdentityServer builder:
builder.Services.AddIdentityServer() .AddConformanceReport(options => { options.Enabled = true; });2. Map the Endpoint
Section titled “2. Map the Endpoint”Add the conformance report endpoint to your middleware pipeline:
app.MapConformanceReport();3. Access the Report
Section titled “3. Access the Report”Navigate to: https://your-server/_duende/conformance-report
The endpoint requires an authenticated user by default (see Authorization below).
Configuration Options
Section titled “Configuration Options”ConformanceReportOptions controls the conformance report feature:
-
EnabledEnable or disable the conformance report endpoint. Defaults tofalse. -
EnableOAuth21AssessmentInclude OAuth 2.1 profile assessment in the report. Defaults totrue. -
EnableFapi2SecurityAssessmentInclude FAPI 2.0 Security Profile assessment in the report. Defaults totrue. -
PathPrefixURL path prefix for the conformance endpoint (no leading slash). Defaults to"_duende". -
ConfigureAuthorizationAuthorization policy for the HTML report endpoint. Defaults to require an authenticated user. -
AuthorizationPolicyNameASP.NET Core authorization policy name used internally. Defaults to"ConformanceReport". -
HostCompanyNameOptional company name shown in the report header. Defaults tonull. -
HostCompanyLogoUrlOptional company logo URL shown in the report header. Defaults tonull.
Authorization
Section titled “Authorization”By default, the report endpoint requires an authenticated user. Customize the policy using
ConfigureAuthorization:
builder.Services.AddIdentityServer() .AddConformanceReport(options => { options.Enabled = true;
// Require a specific role options.ConfigureAuthorization = policy => policy.RequireRole("Admin");
// Or require multiple conditions // options.ConfigureAuthorization = policy => policy // .RequireRole("Admin") // .RequireClaim("department", "IT");
// Or allow anonymous (development/testing only) // options.ConfigureAuthorization = policy => // policy.RequireAssertion(_ => builder.Environment.IsDevelopment()); });Understanding the Report
Section titled “Understanding the Report”The HTML report displays:
- Server Configuration — a matrix of server-level conformance rules and their status
- Client Configurations — a matrix of per-client conformance rules and their status
- Rule Legend — explanation of each rule identifier
- Notes — detailed messages for warnings and failures
Status Indicators
Section titled “Status Indicators”| Symbol | Meaning |
|---|---|
| Pass | Requirement is met |
| Fail | Requirement is not met (configuration is non-conformant) |
| Warning | Recommended practice is not followed |
| N/A | Rule is not applicable to this configuration |
Requirements
Section titled “Requirements”The conformance report uses IClientStore.GetAllClientsAsync to enumerate all clients for
assessment. Custom IClientStore implementations must implement this method (added in v8.0).
See the upgrade guide
for details.
Full Example
Section titled “Full Example”builder.Services.AddIdentityServer() .AddInMemoryClients(Config.Clients) .AddConformanceReport(options => { options.Enabled = true; options.EnableOAuth21Assessment = true; options.EnableFapi2SecurityAssessment = true; options.HostCompanyName = "Acme Corp"; options.ConfigureAuthorization = policy => policy.RequireRole("ComplianceTeam"); });
// ...
app.MapConformanceReport();app.UseIdentityServer();