Released: Dec 2, 2025

v7.4.0 での更新項目

機能

• Set HTTP activity name on routing - Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary - Enabled the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers - Added a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support:
  • Improved support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support - Added out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414.
• Support for custom parameters in authorize response - Added a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity:
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• Added support for .NET 10.
• Updated IS and BFF to IM 8.0.0 Preview 1 and ATM Previews.
• Added a service for diagnostic data.
• Enable Customizing ErrorMessage on Redirect to Error Page - Added an extension point for customizing the ErrorMessage sent to the error page when an error which is not safe to return to the client occurs during an authorize request.
• Updated the referenced Duende FOSS packages to their respective GA versions which added .NET 10 as a target.
• Breaking Changes:
  • There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.
  • Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public.
  • Marked static properties referring to counters in Telemetry.cs as readonly.

不具合の修正

• Reject Pushed Authorization Requests with parameters duplicated in a JAR - Fixed a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed. Such as request will now correctly return an invalid request.
• Emit telemetry event on successful token introspection - Fixed a bug where the telemetry event for token introspection was not being emitted.
• Consolidated EF Core versions to prevent missing method exceptions - Fixed an issue where a mismatch of .NET versions and EF versions caused a method not found exception.
• Catch potential OperationCanceledException in DiagnosticHostedService - Fixed an issue where when the DiagnosticHostedService stops, the PeriodicTimer can throw an OperationCanceledException which was causing issues with some testing frameworks.
• Trigger Back Channel Logout Earlier in Pipeline - When an upstream IdP triggered front-channel logout to IdentityServer, IdentityServer was not sending back-channel logout requests.
• Better DCR Support for Public Clients - Dynamic client registration requests with a token_endpoint_auth_method value of none were not being properly processed.
• Code Quality - Fixed typo in XML doc for Client.CoordinateLifetimeWithUserSession.