Added client_secret_jwt breaking change to upgrade docs

wcabus · wcabus · commit 17bb96f9c618 · 2025-06-30T14:58:16.000+02:00
diff --git a/src/content/docs/identityserver/upgrades/v7_2-to-v7_3.md b/src/content/docs/identityserver/upgrades/v7_2-to-v7_3.md
@@ -9,7 +9,7 @@ This upgrade guide covers upgrading from Duende IdentityServer v7.2 to v7.3 ([re
 
 IdentityServer 7.3.0 is a significant release that includes:
 
-- [FAPI 2.0 Security Profile](https://openid.net/specs/fapi-security-profile-2_0-final.html) certification
+- [FAPI 2.0 Security Profile][1] certification
 - JWT Response from the introspection endpoint ([RFC 9701](https://www.rfc-editor.org/rfc/rfc9701.html))
 - Diagnostic data
 - Removal of the experimental label from OpenTelemetry metrics
@@ -63,6 +63,64 @@ https://github.com/DuendeSoftware/products/pull/1796
 Several [OpenTelemetry metrics](/identityserver/diagnostics/otel.md#detailed-metrics) previously created by the meter named
 "Duende.IdentityServer.Experimental" have been moved to the "Duende.IdentityServer" meter.
 
+#### Default Supported Signing Algorithms Have Changed For Client Assertions And Request Objects
+
+To support the [FAPI 2.0 Security Profile][1], we've added new options to configure the supported signing algorithms for 
+client assertions and request objects, and only included asymmetric algorithms by default. Before this release, all 
+signing algorithms were supported, including the symmetric algorithms `HS256`, `HS384`, and `HS512`.
+ 
+If you're using symmetric keys to sign client assertions or request objects, you can restore the previous behavior by adding the 
+following code to your IdentityServer configuration:
+
+```csharp title="Program.cs" {4,18-20,24,38-40}
+builder.Services.AddIdentityServer(options =>
+{
+    // To re-enable symmetric algorithms for signing client assertions:
+    options.SupportedClientAssertionSigningAlgorithms = 
+    [
+        SecurityAlgorithms.RsaSha256,
+        SecurityAlgorithms.RsaSha384,
+        SecurityAlgorithms.RsaSha512,
+
+        SecurityAlgorithms.RsaSsaPssSha256,
+        SecurityAlgorithms.RsaSsaPssSha384,
+        SecurityAlgorithms.RsaSsaPssSha512,
+
+        SecurityAlgorithms.EcdsaSha256,
+        SecurityAlgorithms.EcdsaSha384,
+        SecurityAlgorithms.EcdsaSha512,
+
+        SecurityAlgorithms.HmacSha256,
+        SecurityAlgorithms.HmacSha384,
+        SecurityAlgorithms.HmacSha512
+    ];
+    
+    // To re-enable symmetric algorithms for signing request objects:
+    options.SupportedRequestObjectSigningAlgorithms = 
+    [
+        SecurityAlgorithms.RsaSha256,
+        SecurityAlgorithms.RsaSha384,
+        SecurityAlgorithms.RsaSha512,
+
+        SecurityAlgorithms.RsaSsaPssSha256,
+        SecurityAlgorithms.RsaSsaPssSha384,
+        SecurityAlgorithms.RsaSsaPssSha512,
+
+        SecurityAlgorithms.EcdsaSha256,
+        SecurityAlgorithms.EcdsaSha384,
+        SecurityAlgorithms.EcdsaSha512,
+
+        SecurityAlgorithms.HmacSha256,
+        SecurityAlgorithms.HmacSha384,
+        SecurityAlgorithms.HmacSha512
+    ];
+});
+```
+
+https://github.com/DuendeSoftware/products/pull/2077
+
 ## Step 3: Done!
 
 That's it. Of course, at this point you can and should test that your IdentityServer is updated and working properly.
+
+[1]: https://openid.net/specs/fapi-security-profile-2_0-final.html
