Merge pull request #772 from DuendeSoftware/release/is-7.3

IdentityServer 7.3

Author: maartenba

src/content/docs/identityserver/diagnostics/data.mdx

@@ -141,13 +141,16 @@ Note that the pages in the user interface are not IdentityServer endpoints and a
 | endpoint | The type name for the endpoint processor |
 | path     | The path of the request                  |
 
-### Detailed Metrics - Experimental
+### Detailed Metrics
 
 These detailed metrics are instrumented by the IdentityServer middleware and services and track usage of specific
-flows and features. These metrics are created by the meter named "Duende.IdentityServer.Experimental", which is
-the value of the `Duende.IdentityServer.Telemetry.ServiceName.Experimental` constant.
-The definition and tags of these counters may be changed between releases. Once the counters and tags
-are considered stable they will be moved to the `Duende.IdentityServer.Telemetry.ServiceName` meter.
+flows and features.
+
+:::note
+In IdentityServer versions <span data-shb-badge data-shb-badge-variant="default">&lt;7.3</span>, 
+these metrics are created by the meter named "Duende.IdentityServer.Experimental", starting with IdentityServer 7.3,
+they are created by the meter named "Duende.IdentityServer".
+:::
 
 #### Telemetry.Metrics.Counters.ApiSecretValidation
 

src/content/docs/identityserver/diagnostics/otel.md

@@ -11,7 +11,7 @@ redirect_from:
   - /identityserver/v7/overview/packaging/
 ---
 
-import { LinkCard, CardGrid } from "@astrojs/starlight/components";
+import {LinkCard, CardGrid} from "@astrojs/starlight/components";
 
 ## Product
 
@@ -23,7 +23,7 @@ The licensed and supported libraries can be accessed via NuGet:
 
 ## Templates
 
-Contains Duende templates for the `dotnet` CLI to help jump start your Duende-powered solutions.
+Contains Duende templates for the `dotnet` CLI to help jump-start your Duende-powered solutions.
 
 :::note
 You may have a previous version of Duende templates (`Duende.IdentityServer.Templates`) installed on your machine.
@@ -37,26 +37,207 @@ dotnet new install Duende.Templates
 ```
 
 <CardGrid>
-  <LinkCard
-    description="NuGet Package for IdentityServer Templates"
-    href="https://www.nuget.org/packages/Duende.Templates"
-    title="Templates"
-    target="_blank"
-  />
-  <LinkCard
-    description="Source code for IdentityServer Templates"
-    href="https://github.com/DuendeSoftware/IdentityServer.Templates"
-    title="Source Code"
-  />
+    <LinkCard
+        description="NuGet Package for IdentityServer Templates"
+        href="https://www.nuget.org/packages/Duende.Templates"
+        title="Templates"
+        target="_blank"
+    />
+    <LinkCard
+        description="Source code for IdentityServer Templates"
+        href="https://github.com/DuendeSoftware/IdentityServer.Templates"
+        title="Source Code"
+    />
 </CardGrid>
 
-## UI
+Running the command `dotnet new list duende` should give you a list of the following templates
 
-Duende IdentityServer does not contain any UI, because this is always custom to the project.
-We still provide you with
-the [IdentityServer Quickstart UI](https://github.com/DuendeSoftware/products/tree/main/identity-server/templates/src/UI)
-as a starting point for your modifications.
+```bash
+Template Name                                               Short Name            Language  Tags
+----------------------------------------------------------  --------------------  --------  -------------------------
+Duende BFF Host using a Remote API                          duende-bff-remoteapi  [C#]      Web/Duende/BFF
+Duende BFF using a Local API                                duende-bff-localapi   [C#]      Web/Duende/BFF
+Duende BFF with Blazor autorender                           duende-bff-blazor     [C#]      Web/Duende/BFF
+Duende IdentityServer Empty                                 duende-is-empty       [C#]      Web/Duende/IdentityServer
+Duende IdentityServer Quickstart UI (UI assets only)        duende-is-ui          [C#]      Web/IdentityServer
+Duende IdentityServer with ASP.NET Core Identity            duende-is-aspid       [C#]      Web/Duende/IdentityServer
+Duende IdentityServer with Entity Framework Stores          duende-is-ef          [C#]      Web/Duende/IdentityServer
+Duende IdentityServer with In-Memory Stores and Test Users  duende-is-inmem       [C#]      Web/Duende/IdentityServer
+```
+
+## Template Descriptions
+
+In this section, we'll discuss what each IdentityServer template offers and why you would choose to start with it. While there are similarities across templates, there are nuances that can make for better starting points depending on your particular use case.
+
+We'll start with the simplest templates and then move to the most feature-rich ones. Many of these templates build on each other's work, so moving from one to another is straightforward.
+
+:::note
+All templates currently target .NET 8.0, but you can alter the target framework after creating the project to target higher framework versions.
+:::
+
+All templates are provided as a starting point for your customization. Using the templates, you assume development responsibility for the choices, alterations, and inevitable deployment of your IdentityServer instance.
+
+### Duende IdentityServer Empty
+
+You want to run the following command to start using the **Duende IdentityServer Empty** template.
+
+```bash
+dotnet new duende-is-empty
+```
+
+Once created, this template has three essential files: `Config`, `HostingExtensions`, and `Program`.
+
+You can modify the `Config` file to add clients, scopes, and claims, as all configurations are from in-memory objects.
+
+```csharp
+public static class Config
+{
+    public static IEnumerable<IdentityResource> IdentityResources =>
+        new IdentityResource[]
+        {
+            new IdentityResources.OpenId()
+        };
+
+    public static IEnumerable<ApiScope> ApiScopes =>
+        new ApiScope[]
+            { };
+
+    public static IEnumerable<Client> Clients =>
+        new Client[]
+            { };
+}
+```
+
+This template doesn't include user interface elements, so it doesn't support OpenID Connect unless you add those UI elements. You can do so by running the UI-only template of `duende-is-ui`.
+
+```bash
+dotnet new duende-is-ui --project <name of web app>
+```
+
+The executed command will add Razor Pages to your web project. You will need to add Razor Pages to your `HostingExtensions` file.
+
+```csharp
+using Serilog;
+
+internal static class HostingExtensions
+{
+    public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
+    {
+        builder.Services.AddRazorPages();
+
+        builder.Services.AddIdentityServer()
+            .AddInMemoryIdentityResources(Config.IdentityResources)
+            .AddInMemoryApiScopes(Config.ApiScopes)
+            .AddInMemoryClients(Config.Clients)
+            .AddLicenseSummary();
+
+        return builder.Build();
+    }
+
+    public static WebApplication ConfigurePipeline(this WebApplication app)
+    {
+        app.UseSerilogRequestLogging();
+
+        if (app.Environment.IsDevelopment())
+        {
+            app.UseDeveloperExceptionPage();
+        }
+
+        app.UseStaticFiles();
+        app.UseRouting();
+
+        app.UseIdentityServer();
+        app.UseAuthorization();
+        app.MapRazorPages().RequireAuthorization();
+
+        return app;
+    }
+}
+```
+
+### Duende IdentityServer with In-Memory Stores and Test Users
+
+The `duende-is-inmem` template is similar to the `duende-is-empty` and `duende-is-ui` templates combined into a single project template.
+
+```bash
+dotnet new duende-is-inmem
+```
+
+This template differs from others in that we have defined some starting clients, scopes, and claims for common development scenarios and a speedier development experience.
+
+```csharp
+// Config.cs
+public static class Config
+{
+    public static IEnumerable<IdentityResource> IdentityResources =>
+        new IdentityResource[]
+        {
+            new IdentityResources.OpenId(),
+            new IdentityResources.Profile(),
+        };
+
+    public static IEnumerable<ApiScope> ApiScopes =>
+        new ApiScope[]
+        {
+            new ApiScope("scope1"),
+            new ApiScope("scope2"),
+        };
+
+    public static IEnumerable<Client> Clients =>
+        new Client[]
+        {
+            // m2m client credentials flow client
+            new Client
+            {
+                ClientId = "m2m.client",
+                ClientName = "Client Credentials Client",
+
+                AllowedGrantTypes = GrantTypes.ClientCredentials,
+                ClientSecrets = { new Secret("511536EF-F270-4058-80CA-1C89C192F69A".Sha256()) },
+
+                AllowedScopes = { "scope1" }
+            },
+
+            // interactive client using code flow + pkce
+            new Client
+            {
+                ClientId = "interactive",
+                ClientSecrets = { new Secret("49C1A7E1-0C79-4A89-A3D6-A37998FB86B0".Sha256()) },
+
+                AllowedGrantTypes = GrantTypes.Code,
+
+                RedirectUris = { "https://localhost:44300/signin-oidc" },
+                FrontChannelLogoutUri = "https://localhost:44300/signout-oidc",
+                PostLogoutRedirectUris = { "https://localhost:44300/signout-callback-oidc" },
+
+                AllowOfflineAccess = true,
+                AllowedScopes = { "openid", "profile", "scope2" }
+            },
+        };
+}
+```
+
+This template is a great starting point for proof of concepts and a learning tool for developers experiencing OAuth 2.0 and OpenID Connect in the .NET space for the first time.
+
+### Duende IdentityServer with Entity Framework Stores
+
+For developers looking to quickly go to a production-like environment, starting with the `duende-is-ef` template is a great starting point.
+
+```bash
+dotnet new duende-is-ef
+```
+
+This template stores all operational and configuration data of the IdentityServer instance in your chosen data storage, utilizing EF Core's ability to target multiple database engines.
+
+The template targets SQLite by default, but we have included scripts to easily swap out and regenerate migrations for your database.
+
+[Read more about the Entity Framework Core setup here.](/identityserver/data/ef)
+
+### Duende IdentityServer with ASP.NET Core Identity
+
+The **Duende IdentityServer with ASP.NET Core Identity** template integrates with ASP.NET Identity to
+provide you with an instance of Duende IdentityServer that has a user store powered by the Microsoft
+library.
 
-## Source Code
+[Please read our ASP.NET Identity documentation](/identityserver/aspnet-identity/), to learn more about this integration.
 
-You can find the Duende IdentityServer source code on [GitHub](https://github.com/duendesoftware/IdentityServer).

src/content/docs/identityserver/overview/packaging.mdx

@@ -23,8 +23,7 @@ Duende IdentityServer implements the following specifications:
 * OpenID Connect Back-Channel Logout 1.0 ([spec](https://openid.net/specs/openid-connect-backchannel-1_0.html))
 * Multiple Response Types ([spec](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html))
 * Form Post Response Mode ([spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html))
-* Enterprise Edition: OpenID Connect Client-Initiated Backchannel Authentication (
-  CIBA) ([spec](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)).
+* Enterprise Edition: OpenID Connect Client-Initiated Backchannel Authentication (CIBA) ([spec](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)).
 
 ## OAuth 2.x
 
@@ -50,3 +49,5 @@ Duende IdentityServer implements the following specifications:
 * Enterprise Edition: Resource Indicators for OAuth 2.0 ([RFC 8707](https://tools.ietf.org/html/rfc8707))
 * Enterprise Edition: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer /
   DPoP ([RFC 9449](https://datatracker.ietf.org/doc/html/rfc9449))
+* FAPI 2.0 Security Profile ([spec](https://openid.net/specs/fapi-security-profile-2_0-final.html))
+* JSON Web Token (JWT) Response for OAuth Token Introspection ([RFC 9701](https://www.rfc-editor.org/rfc/rfc9701.html))

src/content/docs/identityserver/overview/specs.md

@@ -64,6 +64,48 @@ Unknown or expired tokens will be marked as inactive:
 
 An invalid request will return a 400, an unauthorized request 401.
 
+## JWT Response from Introspection Endpoint :badge[v7.3]
+
+IdentityServer supports [RFC 9701](https://www.rfc-editor.org/rfc/rfc9701.html) to return a JWT response from the
+introspection endpoint.
+
+To return a JWT response, set the `Accept` header in the HTTP request to `application/token-introspection+jwt`:
+
+```text
+POST /connect/introspect
+Accept: application/token-introspection+jwt
+Authorization: Basic xxxyyy
+
+token=<token>
+```
+
+A successful response will return a status code of 200 and has a `Content-Type: application/token-introspection+jwt` header,
+indicating that the response body contains a raw JWT instead. The base64 decoded JWT will have a `typ` claim in the header with 
+the value `token-introspection+jwt`. The token's payload contains a `token_introspection` JSON object similar to the default response type:  
+
+```json
+{
+  "alg": "RS256",
+  "kid": "BE9D78519A8BBCB28A65FADEECF49CBC",
+  "typ": "token-introspection+jwt"
+}.{
+  "iss": "https://localhost:5001",
+  "iat": 1729599599,
+  "aud": "api1",
+  "token_introspection": {
+    "iss": "https://localhost:5001",
+    "nbf": 1729599599,
+    "iat": 1729599599,
+    "exp": 1729603199,
+    "aud": [ "api1" ],
+    "client_id": "client",
+    "jti": "44FD2DE9E9F8E9F4DDD141CD7C244BE9",
+    "active": true,
+    "scope": "api1"
+  }
+}.[Signature]
+```
+
 ## .NET Client Library
 
 You can use the [Duende IdentityModel](/identitymodel/index.mdx) client library to programmatically interact with