IdentityServer

Build identity and access control solutions for modern applications.

Duende Software 社の製品
2025 年より日本国内にてComponentSourceで販売中。

価格:¥ 311,300 (税込)〜 バージョン: v7.4.7 新機能 更新日: Mar 13, 2026

IdentityServer のスクリーンショット

IdentityServer v7.3.0

Released: Aug 14, 2025

v7.3.0 での更新項目

機能

  • FAPI 2.0 Profile Certification - IdentityServer is now officially certified as conformant with the FAPI 2.0 Security Profile.
    • Added a new option for clock skew when validating JWTs.
    • Added the PAR endpoint to the discovery doc's mTLS aliases.
    • Added support for the DPoP header at the PAR endpoint.
    • Port number in mTLS configuration is now respected.
    • Adjusted Multiple DPoP Token Error.
    • Added new options for allowed signing algorithms for JWTs and DPoP proof tokens for scenarios when the supported algorithms need to be restricted such as the FAPI 2.0 Profile.
    • Adjusted Default Values for Clock Skew Config Options.
    • Changed error when required DPoP proof is missing.
    • Reworked supported algorithm options.
    • When the mtls middleware fails to validate the incoming client certificate, or if no certificate is presented, it now returns an HTTP 400 response, and includes the standardized JSON error.
    • If both an mTLS certificate and DPoP proof are sent to the token endpoint, the resulting token is bound to the proof.
    • You can now handle cases where mTLS is used for client authentication in conjunction with DPoP proof tokens to ensure the htu claim passes validation.
  • JWT Response from Introspection Endpoint - IdentityServer now supports RFC 9701 to return a JWT Response from the Introspection endpoint.
  • Diagnostic Data - Diagnostic data has been added to IdentityServer to help support with troubleshooting.
    • Diagnostic Summary Setup.
    • Auth Scheme Diagnostic Entry.
    • Registered Implementations Diagnostic Entry.
    • IdentityServerOptions Diagnostic Entry.
    • Data Protection Diagnostic Entry.
    • Token Issue Count Diagnostic Entry.
    • License Usage Summary Diagnostic Entry.
    • Basic Server Info Diagnostic Entry.
    • Endpoint Usage Diagnostic Entry.
    • Chunk diagnostics and update diagnostic options.
    • Client Info Diagnostic Entry.
    • Resource Info Diagnostic Entry.
    • Registered Implementation Diagnostic Entry Tweaks.
    • Assembly Info Diagnostic Entry Tweaks.
    • Removed assemblyCount from diagnostics.
    • Removed pop from the names of token counts in diagnostics.
    • Diagnostic Summary Log Tweaks.
    • Updated Diagnostic Summary Log Source Name.
    • Log diagnostic summary on shutdown.
    • Added informational version to assembly info diagnostic entry.
  • Moved OpenTelemetry Metrics from Experimental to Stable - Removed "Duende.IdentityServer.Experimental" service name from telemetry.
  • Updated License Usage Warnings - New warnings have been added around license compliance to help identify misuse of IdentityServer licenses prior to more strict license enforcement in the future.
    • License Expiration Warning.
    • V2 License Functionality Updates.
    • Source Generator Based Logging for V2 License Code.
    • V2 License Client Warnings.
    • V2 License Issuer Warnings.
    • Updated licensing messages.
  • Code Quality
    • Refactored exception handling and minor code improvements.
    • Removed redundant comment delimiters in license header.
    • Switched to TargetFrameworks for multi-framework support.
    • You can now filter client credentials in ToOptimizedFullDictionary method.
    • Updated in code links to v7.
    • Sanitized Log Input.
    • Removed extra global.json from identityserver.
    • You can now use DefaultConcurrencyLock as a Singleton instead of Transient.
  • Breaking Changes
    • There are no schema changes needed for IdentityServer 7.3.0. Small code changes maybe be required for some users to upgrade.
      • The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class.
        • Fixed Concurrent DbContext Access on Back Channel Logout.
        • To fix a bug where when using EntityFramework, code which previously executed in parallel needed to be modified to execute sequentially. This necessitated the removal of the SendLogoutNotificationAsync method in the DefaultBackChannelLogoutService class. Anyone who had previously overridden the SendLogoutNotificationAsync as an extensibility point will likely need to move their customization to the PostLogoutJwt method.
      • Client Secret is now required for Clients with ClientCredentials Grant.
        • Previously, it was possible to configure a Client to allow the ClientCredentials Grant without requiring a client secret which is undesirable. The default validation of Clients has been updated to ensure any Client which allows the ClientCredentials grant also sets the RequireClientSecret flag to true to disallow the configuration of a private client to behave like a public client.

不具合の修正

  • Persistent Cookies, Server Side Sessions, and Session Lifetime Coordination Fix.
  • Handle case-insensitive JSON claim value types.
  • Ensure session lifetime coordination is invoked when a session expires.
  • Ensure Client Secret is Required for Clients with ClientCredentials Grant.
  • Fixed null ref in UserInfoRequestValidator.
  • Don't unnecessarily return scope parameter from authorize endpoint.
  • Addressed an unhandled exception path & nullability concerns.
  • Don't return redirect URI or response mode on unsafe errors.
  • Fixed DCR customizations for EF client configuration.
  • Added and tested unhandled exception logging filter logic.
  • Fixed Concurrent DbContext Access on Back Channel Logout.
  • Code Quality
    • Added Missing Test Attributes.
    • Fixed up an accidentally reverted Shouldly change.
Back to IdentityServer Releases