Skip to content
Duende Software Docs
Trouble with OAuth 2.0 in the browser? Watch Web Security and BFF with Philippe De Ryck.

Duende IdentityServer v7.2 to v7.3

This upgrade guide covers upgrading from Duende IdentityServer v7.2 to v7.3 (release notes).

IdentityServer 7.3.0 is a significant release that includes:

  • FAPI 2.0 Security Profile certification
  • JWT Response from the introspection endpoint (RFC 9701)
  • Diagnostic data
  • Removal of the experimental label from OpenTelemetry metrics
  • Additional license compliance warnings
  • Several bug fixes
  • Numerous small code quality and performance enhancements from the community

There are no schema changes needed for IdentityServer 7.3. Small code changes maybe be required for some users to upgrade:

  • The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class
  • Client Secret is now required for Clients with ClientCredentials grant

Step 1: Update NuGet package

Section titled “Step 1: Update NuGet package”

In your IdentityServer host project, update the version of the NuGet. For example in your project file:

<PackageReference Include="Duende.IdentityServer" Version="7.2.0" />

would change to:

<PackageReference Include="Duende.IdentityServer" Version="7.3.0-rc.1" />

Step 2: Breaking Changes

Section titled “Step 2: Breaking Changes”

Small code changes maybe be required for some users to upgrade.

The SendLogoutNotificationAsync Method Has Been Removed From The DefaultBackChannelLogoutService Class

Section titled “The SendLogoutNotificationAsync Method Has Been Removed From The DefaultBackChannelLogoutService Class”

To fix a bug where when using Entity Framework Core, code which previously executed in parallel needed to be modified to execute sequentially. This required the removal of the SendLogoutNotificationAsync method in the DefaultBackChannelLogoutService class.

If you have previously overridden the SendLogoutNotificationAsync as an extensibility point, you will likely need to move your customization to the PostLogoutJwt method.

https://github.com/DuendeSoftware/products/pull/2019

Client Secret Is Now Required For Clients With ClientCredentials Grant

Section titled “Client Secret Is Now Required For Clients With ClientCredentials Grant”

Previously, it was possible to configure a client to allow the ClientCredentials grant without requiring a client secret, which is undesirable. The default validation of clients has been updated to ensure any client which allows the ClientCredentials grant also sets the RequireClientSecret flag to true, to disallow the configuration of a private client to behave like a public client.

https://github.com/DuendeSoftware/products/pull/1796

Removal Of The Experimental Label From OpenTelemetry Metrics

Section titled “Removal Of The Experimental Label From OpenTelemetry Metrics”

Several OpenTelemetry metrics previously created by the meter named “Duende.IdentityServer.Experimental” have been moved to the “Duende.IdentityServer” meter.

Default Supported Signing Algorithms Have Changed For Client Assertions And Request Objects

Section titled “Default Supported Signing Algorithms Have Changed For Client Assertions And Request Objects”

To support the FAPI 2.0 Security Profile, we’ve added new options to configure the supported signing algorithms for client assertions and request objects, and only included asymmetric algorithms by default. Before this release, all signing algorithms were supported, including the symmetric algorithms HS256, HS384, and HS512.

If you’re using symmetric keys to sign client assertions or request objects, you can restore the previous behavior by adding the following code to your IdentityServer configuration:

Program.cs
builder.Services.AddIdentityServer(options =>
{
    // To re-enable symmetric algorithms for signing client assertions:
    options.SupportedClientAssertionSigningAlgorithms =
    [
        SecurityAlgorithms.RsaSha256,
        SecurityAlgorithms.RsaSha384,
        SecurityAlgorithms.RsaSha512,


        SecurityAlgorithms.RsaSsaPssSha256,
        SecurityAlgorithms.RsaSsaPssSha384,
        SecurityAlgorithms.RsaSsaPssSha512,


        SecurityAlgorithms.EcdsaSha256,
        SecurityAlgorithms.EcdsaSha384,
        SecurityAlgorithms.EcdsaSha512,


        SecurityAlgorithms.HmacSha256,
        SecurityAlgorithms.HmacSha384,
        SecurityAlgorithms.HmacSha512
    ];


    // To re-enable symmetric algorithms for signing request objects:
    options.SupportedRequestObjectSigningAlgorithms =
    [
        SecurityAlgorithms.RsaSha256,
        SecurityAlgorithms.RsaSha384,
        SecurityAlgorithms.RsaSha512,


        SecurityAlgorithms.RsaSsaPssSha256,
        SecurityAlgorithms.RsaSsaPssSha384,
        SecurityAlgorithms.RsaSsaPssSha512,


        SecurityAlgorithms.EcdsaSha256,
        SecurityAlgorithms.EcdsaSha384,
        SecurityAlgorithms.EcdsaSha512,


        SecurityAlgorithms.HmacSha256,
        SecurityAlgorithms.HmacSha384,
        SecurityAlgorithms.HmacSha512
    ];
});

https://github.com/DuendeSoftware/products/pull/2077

Step 3: Done!

Section titled “Step 3: Done!”

That’s it. Of course, at this point you can and should test that your IdentityServer is updated and working properly.