Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
class Duende.IdentityServer.Configuration.IdentityServerOptions
Assembly: Duende.IdentityServer
Inheritance: object → IdentityServerOptions
The central configuration container for Duende IdentityServer. All fundamental settings are grouped into sub-option objects accessible as properties of this class.
Remarks
Options are typically configured at startup via the <c>AddIdentityServer</c> overload that
accepts a configuration delegate:
<code>
builder.Services.AddIdentityServer(options =>
{
options.IssuerUri = "https://identity.example.com";
});
</code>
Properties
public
string
IssuerUri
Gets or sets the URI that identifies this IdentityServer instance. Used as the <c>issuer</c> claim in
the discovery document, JWT access tokens, and introspection responses.
Remarks It is recommended to leave this unset. When not configured, the issuer is inferred from
the URL of each incoming request, which better conforms to the OpenID Connect specification
requirement that the issuer value be identical to the URL used to retrieve the discovery
document. Setting a fixed issuer is useful when IdentityServer is accessed internally
(e.g., inside a Kubernetes cluster) on a different address than the public-facing URL.
When set, clients must be configured with the OpenID Connect metadata address explicitly
to avoid using the authority-derived address.
public
bool
LowerCaseIssuerUri
Gets or sets a value indicating whether the inferred <see cref="P:Duende.IdentityServer.Configuration.IdentityServerOptions.IssuerUri" /> is normalized to lowercase.
Remarks When <c>true</c> (the default), the issuer URI derived from the request is converted to
lowercase. Set to <c>false</c> to preserve the original casing of the request URL.
public
string
AccessTokenJwtType
Gets or sets the value written to the <c>typ</c> header of JWT access tokens.
Remarks Defaults to <c>at+jwt</c> as specified by
<see href="https://datatracker.ietf.org/doc/html/rfc9068">RFC 9068</see> .
Set to <c>null</c> or an empty string to omit the <c>typ</c> header entirely.
public
string
LogoutTokenJwtType
Gets or sets the value written to the <c>typ</c> header of back-channel logout tokens.
Remarks Defaults to <c>logout+jwt</c> as specified by the
<see href="https://openid.net/specs/openid-connect-backchannel-1_0.html#logouttoken">OpenID Connect Back-Channel Logout 1.0</see> specification.
public
bool
EmitStaticAudienceClaim
Gets or sets a value indicating whether a static <c>aud</c> claim in all access tokens with the format <c>{issuer}/resources</c> is emitted.
Remarks Defaults to <c>false</c> . Enable this flag only when you need to produce access tokens
that are backwards-compatible with older IdentityServer deployments that emitted a static
audience. When <see cref="T:Duende.IdentityServer.Models.ApiResource" /> s are also configured, both the static audience
and the API resource audiences will be present in the token.
public
bool
EmitScopesAsSpaceDelimitedStringInJwt
Gets or sets a value indicating whether scope claims in JWTs and introspection responses are emitted as a
space-delimited string rather than a JSON array.
Remarks Defaults to <c>false</c> for backwards compatibility. Setting this to <c>true</c> conforms
to <see href="https://datatracker.ietf.org/doc/html/rfc9068">RFC 9068</see> , which
specifies a space-delimited string for the <c>scope</c> claim in JWT access tokens.
public
bool
EmitIssuerIdentificationResponseParameter
Gets or sets a value indicating whether the <c>iss</c> response parameter on authorize endpoint responses is emitted.
Remarks Defaults to <c>true</c> . Specified by
<see href="https://datatracker.ietf.org/doc/rfc9207/">RFC 9207</see> , which defines the
<c>iss</c> parameter to help clients identify the authorization server that issued the
response and protect against mix-up attacks.
public
bool
EmitStateHash
Gets or sets a value indicating whether the <c>s_hash</c> claim in identity tokens is emitted.
Remarks Defaults to <c>false</c> . The <c>s_hash</c> claim is a hash of the <c>state</c> parameter,
defined by the
<see href="https://openid.net/specs/openid-financial-api-part-2-1_0.html">OpenID Financial-grade API Security Profile</see> .
Enable this when targeting FAPI-compliant clients.
public
bool
StrictJarValidation
Gets or sets a value indicating whether strict validation of JWT-secured authorization requests (JAR) per
<see href="https://datatracker.ietf.org/doc/rfc9101/">RFC 9101</see> is enforced.
Remarks Defaults to <c>false</c> . When enabled, JAR request JWTs must carry a <c>typ</c> header
value of <c>oauth-authz-req+jwt</c> , and the HTTP request must include a
<c>Content-Type</c> of <c>application/oauth-authz-req+jwt</c> . Enabling this may break
older OIDC-conformant request objects that do not set these headers.
public
bool
ValidateTenantOnAuthorization
Gets or sets a value indicating whether the user's <c>tenant</c> claim is compared against the <c>tenant</c> value in
<c>acr_values</c> to decide whether to show the login page.
Remarks Defaults to <c>false</c> . When enabled, if the authenticated user's <c>tenant</c> claim
does not match the requested tenant in <c>acr_values</c> , the user is redirected to the
login page.
public
EndpointsOptions
Endpoints
Gets or sets the configuration for which protocol endpoints are enabled or disabled.
public
DiscoveryOptions
Discovery
Gets or sets the configuration for the OpenID Connect discovery document endpoint.
public
AuthenticationOptions
Authentication
Gets or sets the configuration for login, logout, and cookie behavior for interactive users.
public
EventsOptions
Events
Gets or sets the configuration for which diagnostic events are raised to the registered event sink.
public
InputLengthRestrictions
InputLengthRestrictions
Gets or sets the maximum allowed lengths for protocol request parameters such as client ID, scope, and redirect URI.
public
UserInteractionOptions
UserInteraction
Gets or sets the configuration for user-facing UI pages, including URLs and query parameter names.
public
CachingOptions
Caching
Gets or sets the cache durations for client, resource, CORS, and identity provider store lookups.
Remarks These settings only take effect when the respective caching has been enabled during
service registration (e.g., <c>AddClientStoreCache</c> ).
public
CorsOptions
Cors
Gets or sets the CORS policy settings for IdentityServer's protocol endpoints.
public
CspOptions
Csp
Gets or sets the Content Security Policy (CSP) header settings for IdentityServer's UI pages.
public
ValidationOptions
Validation
Gets or sets the settings that control redirect URI validation behavior.
public
DeviceFlowOptions
DeviceFlow
Gets or sets the OAuth 2.0 Device Authorization Grant (device flow) settings.
public
CibaOptions
Ciba
Gets or sets the Client-Initiated Backchannel Authentication (CIBA) settings.
public
LoggingOptions
Logging
Gets or sets the settings for filtering sensitive values from logs and suppressing noisy exceptions.
public
MutualTlsOptions
MutualTls
Gets or sets the Mutual TLS (mTLS) settings for certificate-bound tokens and client authentication.
public
KeyManagementOptions
KeyManagement
Gets or sets the automatic signing key management settings, including rotation intervals and storage options.
PersistentGrants
Gets or sets the settings for persisted grants, including data protection and one-time refresh token behavior.
public
DPoPOptions
DPoP
Gets or sets the Demonstration of Proof-of-Possession (DPoP) settings for sender-constrained tokens.
public
string
LicenseKey
Gets or sets the Duende IdentityServer license key. When not set, IdentityServer runs in trial/starter mode.
public
DynamicProviderOptions
DynamicProviders
Gets or sets the settings for the dynamic external identity provider feature.
public
ServerSideSessionOptions
ServerSideSessions
Gets or sets the settings for server-side session storage and periodic cleanup of expired sessions.
public
PushedAuthorizationOptions
PushedAuthorization
Gets or sets the Pushed Authorization Request (PAR) settings, including whether PAR is globally required.
public
System.TimeSpan
JwtValidationClockSkew
Gets or sets the allowed clock skew applied when validating JWT lifetimes throughout IdentityServer.
Remarks Defaults to five minutes. This setting applies to JWT access tokens validated at the
UserInfo, introspection, and local API endpoints; private_key_jwt client authentication
assertions; JAR request objects; and custom uses of <see cref="T:Duende.IdentityServer.Validation.TokenValidator" /> .
It does not apply to DPoP proof tokens, which use <see cref="P:Duende.IdentityServer.Configuration.DPoPOptions.ServerClockSkew" /> .
public
bool
StrictClientAssertionAudienceValidation
Gets or sets a value indicating whether strict audience validation is enforced for
<c>private_key_jwt</c> client assertions.
Remarks <para>
When <see langword="true" />, the audience (<c>aud</c>) claim must be the issuer identifier
as the sole value (per draft-ietf-oauth-rfc7523bis), and the <c>typ</c> header must be
<c>client-authentication+jwt</c>.
</para> <para>
When <see langword="false" />, legacy audience values (token endpoint URL, CIBA endpoint, PAR
endpoint) are accepted, and the <c>typ</c> header is not required. However, if a token
includes <c>typ: client-authentication+jwt</c>, strict validation is still applied for that
token regardless of this setting.
</para> <para>
Defaults to <see langword="false" />. Set to <see langword="true" /> to enforce strict
validation per draft-ietf-oauth-rfc7523bis.
</para>
public
System.Collections.Generic.ICollection<string>
SupportedRequestObjectSigningAlgorithms
<para>
Gets or sets the allowed signature algorithms for JWT secured authorization requests (JAR). The "alg" header of JAR
request objects is validated against this collection, and the
request_object_signing_alg_values_supported discovery property is populated with these values.
</para> <para>
Defaults to [RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512], which allows
the RSA, Probabilistic RSA, or ECDSA signing algorithms with 256, 384, or 512-bit SHA hashing.
</para> <para>
If set to an empty collection, all algorithms are allowed, but the request_object_signing_alg_values_supported
will not be set. Explicitly listing the expected values is recommended.
</para>
public
System.Collections.Generic.ICollection<string>
SupportedClientAssertionSigningAlgorithms
<para>
Gets or sets the allowed signature algorithms for client authentication using client assertions (the
private_key_jwt parameter). The "alg" header of client assertions is validated against this collection, and the
token_endpoint_auth_signing_alg_values_supported discovery property is populated with these values.
</para> <para>
Defaults to [RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512], which allows
the RSA, Probabilistic RSA, or ECDSA signing algorithms with 256, 384, or 512-bit SHA hashing.
</para> <para>
If set to an empty collection, all algorithms are allowed, but the
token_endpoint_auth_signing_alg_values_supported will not be set. Explicitly listing the expected values is
recommended.
</para>
public
DiagnosticOptions
Diagnostics
Gets or sets the options that control the diagnostic data that is logged by IdentityServer.
public
SamlOptions
Saml
Gets or sets the SAML 2.0 Identity Provider options.
Methods
public
bool
Equals(object obj)
Inherited from object
protected
void
Finalize()
Inherited from object
public
int
GetHashCode()
Inherited from object
protected
object
MemberwiseClone()
Inherited from object
public
string
ToString()
Inherited from object