| title | Glossary | |||
|---|---|---|---|---|
| description | A comprehensive glossary of security and identity management terms, including features and concepts used in Duende IdentityServer | |||
| sidebar |
|
|||
| redirect_from |
|
import { LinkCard, CardGrid, Badge } from "@astrojs/starlight/components";
The glossary below provides definitions and explanations of commonly used terms and features within the security and identity management domain. Explore each term to gain a deeper understanding of its functionality and relevance.
A client is a piece of software that requests tokens from your IdentityServer - either for authenticating a user ( requesting an identity token) or for accessing a resource (requesting an access token). A client must be first registered with your IdentityServer before it can request tokens and is identified by a unique client ID.
There are many different client types, e.g. web applications, native mobile or desktop applications, SPAs, server processes, etc.
License:
The automatic key management feature creates and manages key material for signing tokens and follows best practices for handling this key material, including storage and rotation.
License:
The server-side session management feature extends the ASP.NET Core cookie authentication handler to maintain a user's authentication session state in a server-side store, rather than putting it all into a self-contained cookie. Using server-side sessions enables more architectural features in your IdentityServer, such as:
- query and manage active user sessions (e.g. from an administrative app).
- detect session expiration and perform cleanup, both in IdentityServer and in client apps.
- centralize and monitor session activity in order to achieve a system-wide inactivity timeout.
License:
The Duende Backend For Frontend (BFF) security framework packages up guidance and the necessary components to secure browser-based frontends (e.g. SPAs or Blazor WASM applications) with ASP.NET Core backends.
License:
Implementation of RFC 8707. Provides a standards-based endpoint to register clients and their configuration.
License:
Implementation of RFC 9126. Provides a more secure way to start a browser-based token/authentication request.
License:
The dynamic configuration feature allows dynamic loading of configuration for OpenID Connect providers from a store. This is designed to address the performance concern and allowing changes to the configuration to a running server.
License:
The resource isolation feature allows a client to request access tokens for an individual resource server. This allows API-specific features such as access token encryption and isolation of APIs that are not in the same trust boundary.
License:
Duende IdentityServer supports the Client-Initiated Backchannel Authentication Flow (also known as CIBA). This allows a user to log in with a higher security device (e.g. their mobile phone) than the device on which they are using an application (e.g. a public kiosk). CIBA is one of the requirements to support the Financal-grade API compliance.
License:
A mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.
A single deployment acts as a single OpenID Connect / OAuth authority hosted at a single URL. It can consist of multiple physical or virtual nodes for load-balancing or fail-over purposes.
Can be either completely independent single deployments, or a single deployment that acts as multiple authorities.
A single logical deployment that acts as multiple logical token services on multiple URLs or host names (e.g. for branding, isolation or multi-tenancy reasons).
Online developer community forum for Duende Software product issues and bugs.
Helpdesk system with guaranteed response time for Duende Software product issues and bugs.