Merge branch 'main' into wca/oidc-client-dpop-extensions

Author: wcabus

package-lock.json

@@ -26,20 +26,20 @@
   },
   "dependencies": {
     "@astrojs/markdown-remark": "^6.3.1",
-    "@astrojs/starlight": "^0.34.0",
+    "@astrojs/starlight": "^0.34.3",
     "@astrojs/ts-plugin": "^1.10.4",
     "@fontsource/roboto": "^5.2.5",
     "@pasqal-io/starlight-client-mermaid": "^0.1.0",
     "@resvg/resvg-js": "^2.6.2",
-    "astro": "^5.7.2",
+    "astro": "^5.7.13",
     "astro-opengraph-images": "^1.12.2",
-    "astro-redirect-from": "^1.3.1",
+    "astro-redirect-from": "^1.3.3",
     "astro-rehype-relative-markdown-links": "^0.18.1",
     "jsdom": "^26.0.0",
     "patch-package": "^8.0.0",
     "react": "^19.0.0",
     "rehype-external-links": "^3.0.0",
-    "satori": "^0.12.1",
+    "satori": "^0.13.1",
     "sharp": "^0.34.1",
     "starlight-auto-sidebar": "^0.1.1",
     "starlight-giscus": "^0.6.1",
@@ -50,8 +50,8 @@
   },
   "devDependencies": {
     "@types/jsdom": "^21.1.7",
-    "@types/node": "^22.13.10",
-    "@types/react": "^19.0.10",
+    "@types/node": "^22.15.18",
+    "@types/react": "^19.1.4",
     "node-fetch": "^3.3.2",
     "prettier": "3.5.3"
   },

package.json

@@ -25,7 +25,7 @@ dotnet add package Duende.IdentityServer.EntityFramework
 ```
 
 ## Configuration Store Support
-For storing [configuration data](/identityserver/configuration/), then the configuration store can be used.
+For storing [configuration data](/identityserver/configuration/), the configuration store can be used.
 This support provides implementations of the `IClientStore`, `IResourceStore`, `IIdentityProviderStore`, and the `ICorsPolicyService` extensibility points.
 These implementations use a `DbContext`-derived class called `ConfigurationDbContext` to model the tables in the database.
 

patches/astro+5.7.9.patch renamed to patches/astro+5.7.13.patch

@@ -110,3 +110,53 @@ Then, in your `appsettings.json` file, you can set the default minimum log level
   }
 }
 ```
+
+## Filtering Exceptions
+
+The `LoggingOptions` class allows developers to filter out any exceptions that
+could potentially lead to log bloat. For example, in a web application, developers
+should expect to see `OperationCanceledException` as clients end HTTP requests
+abruptly for many reasons. It's such a common occurrence to see this exception that
+the default filter included with IdentityServer excludes it by default.
+
+```csharp
+/// <summary>
+/// Called when the IdentityServer middleware detects an unhandled exception, and is used to determine if the exception is logged.
+/// Returns true to emit the log, false to suppress.
+/// </summary>
+public Func<HttpContext, Exception, bool> UnhandledExceptionLoggingFilter = (context, exception) =>
+{
+    var result = !(context.RequestAborted.IsCancellationRequested && exception is OperationCanceledException);
+    return result;
+};
+```
+
+To apply custom filtering, you can set the `UnhandledExceptionLoggingFilter` property on
+the `LoggingOptions` for your `IdentityServerOptions`.
+
+```csharp
+var isBuilder = builder.Services.AddIdentityServer(options =>
+    {
+        options.Logging.UnhandledExceptionLoggingFilter =
+            (ctx, ex) => {
+                if (ctx.User is { Identity.Name: "Jeff" }) 
+                {
+                    // Oh Jeff...
+                    return false;
+                }
+
+                if (ex.Message.Contains("Oops"))
+                {
+                    // ignore this exception
+                    return false;
+                }
+
+                // this is a real exception
+                return true;
+            };
+    })
+    .AddTestUsers(TestUsers.Users)
+    .AddLicenseSummary();
+```
+
+Returning `true` means the exception will be logged, while returning `false` indicates the exception should not be logged.

src/content/docs/identityserver/data/ef.md

@@ -77,6 +77,7 @@ identity provider. Understanding the direction of these events can help you dete
 | `OnTokenResponseReceived`                | **Incoming** |
 | `OnTokenValidated`                       | **Incoming** |
 | `OnUserInformationReceived`              | **Incoming** |
+| `OnTicketReceived`                       | **Incoming** |
 | `OnPushAuthorization` (**.NET 9+ only**) | **Outgoing** |
 
 ## Commonly Subscribed Events
@@ -174,6 +175,15 @@ For ASP.NET Core developers, the most commonly subscribed events are:
   endpoint.
 - **Commonly subscribed**: Sometimes, if extra claims processing is required.
 
+### OnTicketReceived
+
+- **When called**: Invoked after the OpenID Connect authentication flow is complete and before the authentication ticket
+  is returned.
+- **How often**: Called once per successful authentication flow completion.
+- **Example use case**: Modify the final authentication ticket, perform additional validation, or execute custom logic
+  before completing the authentication process.
+- **Commonly subscribed**: Sometimes, when final authentication customization is needed before completing the flow or for diagnostics and troubleshooting purposes.
+
 ### OnPushAuthorization
 
 - **When called**: Invoked before sending authorization parameters using the Pushed Authorization Request (PAR)

src/content/docs/identityserver/diagnostics/logging.md

@@ -36,7 +36,7 @@ available [here](https://github.com/DuendeSoftware/Samples/tree/main/IdentitySer
 
 In addition to the written steps below there's also a YouTube video available:
 
-<iframe width="853" height="505" src="https://www.youtube.com/embed/3-1QY8s2C9k" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
+<iframe width="853" height="505" src="https://www.youtube.com/embed/EhuCpbH7Ad0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
 
 ## Preparation
 

src/content/docs/identityserver/fundamentals/openid-connect-events.md

@@ -65,9 +65,9 @@ that enable the UI. Note that there are three places to comment in - two in
 `ConfigurePipeline` and one in `ConfigureServices`.
 
 :::note
-There is also a template called `isinmem` which combines the basic
-IdentityServer from the `isempty` template with the quickstart UI from the
-`isui` template.
+There is also a template called `duende-is-inmem` which combines the basic
+IdentityServer from the `duende-is-empty` template with the quickstart UI from the
+`duende-is-ui` template.
 :::
 
 Comment in the service registration and pipeline configuration, run the

src/content/docs/identityserver/quickstarts/1-client-credentials.md

@@ -75,7 +75,9 @@ Settings that affect the background cleanup of expired entries (tokens) from the
 
 * **`TokenCleanupBatchSize`**
 
-  Gets or sets the number of records to remove at a time. Defaults to `100`.
+  Gets or sets the number of records to remove per batch operation.
+  The cleanup job will perform multiple batch operations as long as there are more records to remove than the configured `TokenCleanupBatchSize`. 
+  Defaults to `100`.
 
 * **`FuzzTokenCleanupStart`**