Dependency Injection Extension Methods

AddIdentityServer return a builder object that provides many extension methods to add IdentityServer specific services to the ASP.NET Core service provider. Here’s a list grouped by feature areas.

Program.cs

var idsvrBuilder = builder.Services.AddIdentityServer();

Note

Many of the fundamental configuration settings can be set on the options. See the [IdentityServerOptions](/identityserver/reference/v8/options) reference for more details.

Configuration Stores

Several convenience methods are provided for registering custom stores:

• AddClientStore<T>

  Registers a custom IClientStore implementation.

• AddCorsPolicyService<T>

  Registers a custom ICorsPolicyService implementation.

• AddResourceStore<T>

  Registers a custom IResourceStore implementation.

• AddIdentityProviderStore<T>

  Registers a custom IIdentityProviderStore implementation.

• AddPersistedGrantStore<T>

  Registers a custom IPersistedGrantStore implementation for persisting grants such as authorization codes, refresh tokens, reference tokens, and user consent records. Replace the default in-memory store with a durable implementation for production use.

• AddDeviceFlowStore<T>

  Registers a custom IDeviceFlowStore implementation for persisting device flow authorization codes and user codes during the OAuth 2.0 Device Authorization Grant flow.

• AddSigningKeyStore<T>

  Registers a custom ISigningKeyStore implementation for persisting automatically managed signing keys. Replace the default file-system store with a durable implementation (e.g. database or key vault) for production deployments with multiple server instances.

• AddPushedAuthorizationRequestStore<T>

  Registers a custom IPushedAuthorizationRequestStore implementation for persisting Pushed Authorization Requests (PAR). Replace the default in-memory store with a durable implementation for production use.

The in-memory configuration stores can be registered in DI with the following extension methods.

• AddInMemoryClients

  Registers IClientStore and ICorsPolicyService implementations based on the in-memory collection of Client configuration objects.

• AddInMemoryIdentityResources

  Registers IResourceStore implementation based on the in-memory collection of IdentityResource configuration objects.

• AddInMemoryApiScopes

  Registers IResourceStore implementation based on the in-memory collection of ApiScope configuration objects.

• AddInMemoryApiResources

  Registers IResourceStore implementation based on the in-memory collection of ApiResource configuration objects.

Caching Configuration Data

Extension methods to enable caching for configuration data:

• AddInMemoryCaching

  Registers a keyed HybridCache instance under ServiceProviderKeys.ConfigurationStoreCache. This is required when using any of the caching store decorators below. By default, only the L1 (in-memory) cache tier is used. To enable L2 (distributed) caching, register an IDistributedCache implementation — HybridCache will automatically use it as the L2 tier.

• AddClientStoreCache<T> Registers a IClientStore decorator implementation which will maintain an in-memory cache of Client configuration objects. The cache duration is configurable on the Caching configuration options on the IdentityServerOptions.

• AddResourceStoreCache<T>

  Registers a IResourceStore decorator implementation which will maintain an in-memory cache of IdentityResource and ApiResource configuration objects. The cache duration is configurable on the Caching configuration options on the IdentityServerOptions.

• AddCorsPolicyCache<T>

  Registers a ICorsPolicyService decorator implementation which will maintain an in-memory cache of the results of the CORS policy service evaluation. The cache duration is configurable on the Caching configuration options on the IdentityServerOptions.

• AddIdentityProviderStoreCache<T>

  Registers a IIdentityProviderStore decorator implementation which will maintain an in-memory cache of IdentityProvider configuration objects. The cache duration is configurable on the Caching configuration options on the IdentityServerOptions.

Test Stores

The TestUser class models a user, their credentials, and claims in IdentityServer.

Use of TestUser is similar to the use of the “in-memory” stores in that it is intended for when prototyping, developing, and/or testing. The use of TestUser is not recommended in production.

• AddTestUsers

  Registers TestUserStore based on a collection of TestUser objects. TestUserStore is e.g. used by the default quickstart UI. Also registers implementations of IProfileService and IResourceOwnerPasswordValidator that uses the test users as a backing store.

Signing keys

Duende IdentityServer needs key material to sign tokens. This key material can either be created and managed automatically or configured statically.

Note

We recommend that you use automatic key management. This section covers the configuration methods needed for manual configuration of signing keys, which are usually only needed if your license does not include automatic key management or if you are migrating from manually managed keys to automatic key management.

Duende IdentityServer supports X.509 certificates (both raw files and a reference to the certificate store), RSA keys and EC keys for token signatures and validation. Each key can be configured with a (compatible) signing algorithm, e.g. RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 or ES512.

You can configure the key material with the following methods:

• AddSigningCredential

  Adds a signing key that provides the specified key material to the various token creation/validation services.

• AddDeveloperSigningCredential

  Creates temporary key material at startup time. This is for dev scenarios. The generated key will be persisted in the local directory by default (or just kept in memory).

• AddValidationKey

  Adds a key for validating tokens. They will be used by the internal token validator and will show up in the discovery document.

Additional services

The following are convenient to add additional features to your IdentityServer.

• AddExtensionGrantValidator

  Adds an IExtensionGrantValidator implementation for use with extension grants.

• AddSecretParser

  Adds an ISecretParser implementation for parsing client or API resource credentials.

• AddSecretValidator

  Adds an ISecretValidator implementation for validating client or API resource credentials against a credential store.

• AddResourceValidator

  Adds an IResourceValidator implementation for validating whether the requested scopes and resources are valid for a given client.

• AddScopeParser

  Adds an IScopeParser implementation for parsing the raw scope string from authorization and token requests into individual parsed scope values.

• AddResourceOwnerValidator

  Adds an IResourceOwnerPasswordValidator implementation for validating user credentials for the resource owner password credentials grant type.

• AddProfileService

  Adds anIProfileService implementation. The default implementation (found in DefaultProfileService) relies upon the authentication cookie as the only source of claims for issuing in tokens.

• AddAuthorizeInteractionResponseGenerator

  Adds an IAuthorizeInteractionResponseGenerator implementation to customize logic at authorization endpoint for when a user must be shown a UI for error, login, consent, or any other custom page. The default implementation can be found in the AuthorizeInteractionResponseGenerator class, so consider deriving from this existing class if you need to augment the existing behavior.

• AddCustomAuthorizeRequestValidator

  Adds an ICustomAuthorizeRequestValidator implementation to customize request parameter validation at the authorization endpoint.

• AddCustomTokenRequestValidator

  Adds an ICustomTokenRequestValidator implementation to customize request parameter validation at the token endpoint.

• AddRedirectUriValidator

  Adds an IRedirectUriValidator implementation to customize redirect URI validation.

• AddAppAuthRedirectUriValidator

  Adds an “AppAuth” (OAuth 2.0 for Native Apps) compliant redirect URI validator (does strict validation but also allows http://127.0.0.1 with random port).

• AddJwtBearerClientAuthentication

  Adds support for client authentication using JWT bearer assertions.

• AddMutualTlsSecretValidators

  Adds the X509 secret validators for mutual TLS.

• AddIdentityProviderConfigurationValidator

  Adds an IdentityProvider configuration validator.

• AddClientConfigurationValidator

  Adds an IClientConfigurationValidator implementation that validates client configuration when clients are loaded from the store, allowing enforcement of organization-specific client configuration rules.

• AddCustomBackchannelAuthenticationRequestValidator

  Adds an ICustomBackchannelAuthenticationValidator implementation for adding additional validation logic to CIBA (Client-Initiated Backchannel Authentication) requests.

• AddBackChannelLogoutService

  Adds an IBackChannelLogoutService implementation that handles sending back-channel logout notifications to clients when a user’s session ends.

• AddUserSession

  Adds an IUserSession implementation that manages the user’s authentication session, including reading and writing the session cookie and tracking session identifiers. The service is registered as scoped.

• AddBackchannelAuthenticationUserValidator

  Adds the backchannel login user validator.

• AddBackchannelAuthenticationUserNotificationService

  Adds an IBackchannelAuthenticationUserNotificationService implementation responsible for notifying the end user of a pending CIBA authentication request (e.g. by sending a push notification or SMS).

SAML 2.0 v8.0

Extension methods for configuring SAML 2.0 Identity Provider support. Added in v8.0.

• AddSaml

  Adds SAML 2.0 Identity Provider services to IdentityServer and enables all SAML endpoints except IdP-initiated SSO.

• AddSamlServiceProviderStore<T>

  Registers a custom ISamlServiceProviderStore implementation.

• AddInMemorySamlServiceProviders

  Registers an ISamlServiceProviderStore backed by an in-memory collection of SamlServiceProvider configuration objects. Useful for development and testing.

SAML 2.0 Service Provider (External Authentication) v8.0

Extension method on AuthenticationBuilder for registering a SAML 2.0 external provider as a static authentication scheme.

• AddSamlServiceProvider

  Registers the SAML 2.0 SP authentication handler with a SamlServiceProviderOptions configuration. Available with a default scheme name, a custom scheme name, or a custom scheme name and display name.

Financial-Grade Security and Conformance Report v8.0

Added in v8.0.

• AddConformanceReport

  Adds the Financial-Grade Security and Conformance report service that assesses server and client configuration against OAuth 2.1 and FAPI 2.0 specifications. Requires the Duende.IdentityServer.ConformanceReport NuGet package.