IdentityServer

IdentityServer copied to clipboard

Currently we include offline_access in every access token's scope. When using the resource param, when ApiResources don't list offline_access as a scope, then we should filter it -- they aren't...

brockallen

Consider adding back-channel logout support for our session managemenent feature

1

brockallen

https://github.com/DuendeSoftware/Support/issues/659

josephdecock

Consider filtering request object and or values from it in sensitive values filters

1

josephdecock

brockallen

CSP scanning flagged /endsession/callback for missing frame-ancestors

1

**Which version of Duende IdentityServer are you using?** 6.1.7 **Which version of .NET are you using?** 6.0 **Describe the bug** As part of a security audit, the `/connect/endsession/callback` was flagged...

jblazek

Once published: https://openid.net/specs/openid-connect-native-sso-1_0.html

brockallen

Log (info level) if OIDC state data formatter is enabled with in memory distributed cache. I've had a few cases in support where the Oidc state data formatter has been...

AndersAbel

Add server side session support for the external cookie scheme

2

The external cookies are sometimes very large and if the upstream Idp cannot be changed it's hard to do anything about the number of claims and token sizes. The claims...

AndersAbel

Consider extensibility point for sub/sid validation during endsession

2

We could take the existing logic that compares the id token hint's sub to the session's sub and move it into a new virtual method. More flexibility in the end...

josephdecock