Additional reference docs updates after cross-checking against product

Author: maartenba

astro/src/content/docs/identityserver/reference/v7/models/client.md

@@ -202,12 +202,11 @@ public static IEnumerable<Client> Get()
 
 * **`ClientClaimsPrefix`**
 
-  If set, the prefix client claim types will be prefixed with. Defaults to `client`_. The intent is to make sure they
+  If set, the prefix client claim types will be prefixed with. Defaults to `client_`. The intent is to make sure they
   don't accidentally collide with user claims.
 
 * **`PairWiseSubjectSalt`**
   Salt value used in pair-wise subjectId generation for users of this client.
-  Currently not implemented.
 
 ## Refresh Token
 

astro/src/content/docs/identityserver/reference/v7/options.md

@@ -634,7 +634,7 @@ var builder = services.AddIdentityServer(options =>
 
   Specifies either the name of the subdomain or full domain for running the MTLS endpoints. MTLS will use path-based endpoints if not set (the default).
   Use a simple string (e.g. "mtls") to set a subdomain, use a full domain name (e.g. "identityserver-mtls.io") to set a full domain name.
-  When a full domain name is used, you also need to set the `IssuerName` to a fixed value.
+  When a full domain name is used, you also need to set the `IssuerUri` to a fixed value.
 
 - **`AlwaysEmitConfirmationClaim`**
 
@@ -704,7 +704,7 @@ Settings for [server-side sessions](/identityserver/ui/server-side-sessions/inde
 - **`ExpiredSessionsTriggerBackchannelLogout`**
 
   If enabled, when server-side sessions are removed due to expiration, back-channel logout notifications will be sent.
-  This will, in effect, tie a user's session lifetime at a client to their session lifetime at IdentityServer. Defaults to true.
+  This will, in effect, tie a user's session lifetime at a client to their session lifetime at IdentityServer. Defaults to false.
 
 - **`FuzzExpiredSessionRemovalStart`**
 

astro/src/content/docs/identityserver/reference/v8/di.md

@@ -44,6 +44,28 @@ Several convenience methods are provided for registering custom stores:
 
   Registers a custom `IIdentityProviderStore` implementation.
 
+- **`AddPersistedGrantStore<T>`**
+
+  Registers a custom `IPersistedGrantStore` implementation for persisting grants such as authorization codes, refresh
+  tokens, reference tokens, and user consent records. Replace the default in-memory store with a durable implementation
+  for production use.
+
+- **`AddDeviceFlowStore<T>`**
+
+  Registers a custom `IDeviceFlowStore` implementation for persisting device flow authorization codes and user codes
+  during the OAuth 2.0 Device Authorization Grant flow.
+
+- **`AddSigningKeyStore<T>`**
+
+  Registers a custom `ISigningKeyStore` implementation for persisting automatically managed signing keys. Replace the
+  default file-system store with a durable implementation (e.g. database or key vault) for production deployments with
+  multiple server instances.
+
+- **`AddPushedAuthorizationRequestStore<T>`**
+
+  Registers a custom `IPushedAuthorizationRequestStore` implementation for persisting Pushed Authorization Requests
+  (PAR). Replace the default in-memory store with a durable implementation for production use.
+
 The [in-memory configuration stores](/identityserver/data/configuration.md#in-memory-stores) can be registered in DI
 with the following extension methods.
 
@@ -166,6 +188,16 @@ The following are convenient to add additional features to your IdentityServer.
   Adds an `ISecretValidator` implementation for validating client or API resource credentials against a credential
   store.
 
+- **`AddResourceValidator`**
+
+  Adds an `IResourceValidator` implementation for validating whether the requested scopes and resources are valid for a
+  given client.
+
+- **`AddScopeParser`**
+
+  Adds an `IScopeParser` implementation for parsing the raw scope string from authorization and token requests into
+  individual parsed scope values.
+
 - **`AddResourceOwnerValidator`**
 
   Adds an `IResourceOwnerPasswordValidator` implementation for validating user credentials for the resource owner
@@ -215,13 +247,34 @@ The following are convenient to add additional features to your IdentityServer.
 
   Adds an IdentityProvider configuration validator.
 
+- **`AddClientConfigurationValidator`**
+
+  Adds an `IClientConfigurationValidator` implementation that validates client configuration when clients are loaded
+  from the store, allowing enforcement of organization-specific client configuration rules.
+
+- **`AddCustomBackchannelAuthenticationRequestValidator`**
+
+  Adds an `ICustomBackchannelAuthenticationValidator` implementation for adding additional validation logic to CIBA
+  (Client-Initiated Backchannel Authentication) requests.
+
+- **`AddBackChannelLogoutService`**
+
+  Adds an `IBackChannelLogoutService` implementation that handles sending back-channel logout notifications to clients
+  when a user's session ends.
+
+- **`AddUserSession`**
+
+  Adds an `IUserSession` implementation that manages the user's authentication session, including reading and writing
+  the session cookie and tracking session identifiers. The service is registered as scoped.
+
 - **`AddBackchannelAuthenticationUserValidator`**
 
   Adds the backchannel login user validator.
 
 - **`AddBackchannelAuthenticationUserNotificationService`**
 
-  Adds the backchannel login user validator.
+  Adds an `IBackchannelAuthenticationUserNotificationService` implementation responsible for notifying the end user of a
+  pending CIBA authentication request (e.g. by sending a push notification or SMS).
 
 ## SAML 2.0 :badge[v8.0]
 

astro/src/content/docs/identityserver/reference/v8/models/api-resource.md

@@ -53,6 +53,14 @@ This class models an API.
 
   List of associated user claim types that should be included in the access token.
 
+* **`ShowInDiscoveryDocument`**
+
+  Specifies whether this resource is shown in the discovery document. Defaults to `true`.
+
+* **`Properties`**
+
+  Dictionary to hold any custom resource-specific values as needed.
+
 * **`Scopes`**
 
   List of API scope names. You need to create those using [ApiScope](/identityserver/reference/v8/models/api-scope.md).

astro/src/content/docs/identityserver/reference/v8/models/api-scope.md

@@ -36,6 +36,23 @@ This class models an OAuth scope.
 
   List of associated user claim types that should be included in the access token.
 
+* **`Required`**
+
+  Specifies whether the user can de-select the scope on the consent screen. Defaults to `false`.
+
+* **`Emphasize`**
+
+  Specifies whether the consent screen will emphasize this scope. Use this setting for sensitive or important scopes.
+  Defaults to `false`.
+
+* **`ShowInDiscoveryDocument`**
+
+  Specifies whether this scope is shown in the discovery document. Defaults to `true`.
+
+* **`Properties`**
+
+  Dictionary to hold any custom scope-specific values as needed.
+
 ## Defining API Scope In appsettings.json
 
 The `AddInMemoryApiResource` extension method also supports adding clients from the ASP.NET Core configuration file:

astro/src/content/docs/identityserver/reference/v8/models/client.md

@@ -66,6 +66,10 @@ public static IEnumerable<Client> Get()
 
   Unique ID of the client
 
+* **`ProtocolType`**
+
+  Specifies the protocol type of the client. Defaults to `oidc` (OpenID Connect).
+
 * **`ClientSecrets`**
 
   List of client secrets - credentials to access the token endpoint.
@@ -204,12 +208,12 @@ public static IEnumerable<Client> Get()
 
 * **`ClientClaimsPrefix`**
 
-  If set, the prefix client claim types will be prefixed with. Defaults to `client`_. The intent is to make sure they
+  If set, the prefix client claim types will be prefixed with. Defaults to `client_`. The intent is to make sure they
   don't accidentally collide with user claims.
 
 * **`PairWiseSubjectSalt`**
+
   Salt value used in pair-wise subjectId generation for users of this client.
-  Currently not implemented.
 
 ## Refresh Token
 
@@ -273,6 +277,10 @@ Consent screen specific settings.
 
   Client display name (used for logging and consent screen).
 
+* **`Description`**
+
+  Description of the client.
+
 * **`ClientUri`**
 
   URI to further information about client.

astro/src/content/docs/identityserver/reference/v8/models/identity-resource.md

@@ -64,3 +64,7 @@ public static readonly IEnumerable<IdentityResource> IdentityResources =
 * **`UserClaims`**
 
   List of associated user claim types that should be included in the identity token.
+
+* **`Properties`**
+
+  Dictionary to hold any custom resource-specific values as needed.

astro/src/content/docs/identityserver/reference/v8/models/idp.md

@@ -53,7 +53,7 @@ Its properties map to the Open ID Connect options class from ASP.NET Core, and t
 
 * **`Scope`**
 
-  Space separated list of scope values.
+  Space separated list of scope values. Defaults to `openid`.
 
 * **`GetClaimsFromUserInfoEndpoint`**
 

astro/src/content/docs/identityserver/reference/v8/options.md

@@ -74,6 +74,18 @@ Top-level settings. Available directly on the `IdentityServerOptions` object.
 - **`ValidateTenantOnAuthorization`**
   Specifies if a user's `tenant` claim is compared to the tenant `acr_values` parameter value to determine if the login page is displayed. Defaults to `false`.
 
+- **`JwtValidationClockSkew`**
+
+  The allowed clock skew applied when validating JWT lifetimes throughout IdentityServer. Defaults to 5 minutes. This setting applies to JWT access tokens validated at the UserInfo, introspection, and local API endpoints; `private_key_jwt` client authentication assertions; JAR request objects; and custom uses of `TokenValidator`. It does not apply to DPoP proof tokens, which use `DPoP.ServerClockSkew`.
+
+- **`SupportedRequestObjectSigningAlgorithms`**
+
+  The allowed signature algorithms for JWT-secured authorization requests (JAR). The `alg` header of JAR request objects is validated against this collection, and the `request_object_signing_alg_values_supported` discovery property is populated with these values. Defaults to `[RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512]`. If set to an empty collection, all algorithms are allowed but `request_object_signing_alg_values_supported` will not be set.
+
+- **`SupportedClientAssertionSigningAlgorithms`**
+
+  The allowed signature algorithms for client authentication using client assertions (`private_key_jwt`). The `alg` header of client assertions is validated against this collection, and the `token_endpoint_auth_signing_alg_values_supported` discovery property is populated with these values. Defaults to `[RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512]`. If set to an empty collection, all algorithms are allowed but `token_endpoint_auth_signing_alg_values_supported` will not be set.
+
 ## Key management
 
 Automatic key management settings. Available on the `KeyManagement` property of the `IdentityServerOptions` object.
@@ -204,6 +216,10 @@ Endpoint settings, including flags to disable individual endpoints and support f
 
   Enables the pushed authorization endpoint. Defaults to true.
 
+- **`EnableOAuth2MetadataEndpoint`**
+
+  Enables the OAuth 2.0 authorization server metadata endpoint (`/.well-known/oauth-authorization-server`). Defaults to true.
+
 - **`EnableJwtRequestUri`**
   Enables the `request_uri` parameter for JWT-Secured Authorization Requests. This allows the JWT to be passed by reference. Disabled by default, due to the security implications of enabling the request_uri parameter (see [RFC 9101 section 10.4](https://datatracker.ietf.org/doc/rfc9101/)).
 
@@ -638,7 +654,7 @@ var builder = services.AddIdentityServer(options =>
 
   Specifies either the name of the subdomain or full domain for running the MTLS endpoints. MTLS will use path-based endpoints if not set (the default).
   Use a simple string (e.g. "mtls") to set a subdomain, use a full domain name (e.g. "identityserver-mtls.io") to set a full domain name.
-  When a full domain name is used, you also need to set the `IssuerName` to a fixed value.
+  When a full domain name is used, you also need to set the `IssuerUri` to a fixed value.
 
 - **`AlwaysEmitConfirmationClaim`**
 
@@ -708,7 +724,7 @@ Settings for [server-side sessions](/identityserver/ui/server-side-sessions/inde
 - **`ExpiredSessionsTriggerBackchannelLogout`**
 
   If enabled, when server-side sessions are removed due to expiration, back-channel logout notifications will be sent.
-  This will, in effect, tie a user's session lifetime at a client to their session lifetime at IdentityServer. Defaults to true.
+  This will, in effect, tie a user's session lifetime at a client to their session lifetime at IdentityServer. Defaults to false.
 
 - **`FuzzExpiredSessionRemovalStart`**
 
@@ -739,6 +755,10 @@ Demonstration of Proof-of-Possession settings. Available on the `DPoP` property
 - **`ServerClockSkew`**
   Clock skew used in validating DPoP proof token expiration using a server-generated nonce value. Defaults to `0`.
 
+- **`SupportedDPoPSigningAlgorithms`**
+
+  The allowed signature algorithms for DPoP proof tokens. The `alg` headers of proofs are validated against this collection, and the `dpop_signing_alg_values_supported` discovery property is populated with these values. Defaults to `[RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512]`. If set to an empty collection, all algorithms (including symmetric algorithms) are allowed and `dpop_signing_alg_values_supported` will not be set. Explicitly listing the expected values is recommended.
+
 ## Pushed Authorization Requests
 
 [Pushed Authorization Requests (PAR)](/identityserver/tokens/par.md) settings. Added in `v7.0`. Available on the `PushedAuthorization` property of the `IdentityServerOptions` object.
@@ -751,6 +771,10 @@ Demonstration of Proof-of-Possession settings. Available on the `DPoP` property
 
   Controls the lifetime of pushed authorization requests. The pushed authorization request's lifetime begins when the request to the PAR endpoint is received, and is validated until the authorize endpoint returns a response to the client application. Note that user interaction, such as entering credentials or granting consent, may need to occur before the authorize endpoint can do so. Setting the lifetime too low will likely cause login failures for interactive users, if pushed authorization requests expire before those users complete authentication. Some security profiles, such as the FAPI 2.0 Security Profile recommend an expiration within 10 minutes to prevent attackers from pre-generating requests. To balance these constraints, this lifetime defaults to 10 minutes.
 
+- **`AllowUnregisteredPushedRedirectUris`**
+
+  Controls whether clients may use redirect URIs in pushed authorization requests that were not previously registered. Defaults to `false`. Enable with caution; allowing unregistered redirect URIs reduces the protection that pre-registration provides against open redirect attacks.
+
 ## Diagnostics
 
 [Diagnostic data](/identityserver/diagnostics/data.mdx) settings. Added in `v7.3`. Available on the `Diagnostics` property of the `IdentityServerOptions` object.

astro/src/content/docs/identityserver/reference/v8/services/interaction-service.md

@@ -22,6 +22,13 @@ MVC controllers for the user interface of IdentityServer.
 
 All async methods accept a `CancellationToken ct` parameter.
 
+* **`GetAuthenticationContextAsync(string? returnUrl, CancellationToken ct)`**
+
+  Returns the protocol-agnostic authentication context for the current request. Returns an `AuthorizationRequest` for
+  OIDC flows or a `SamlAuthenticationRequest` for SAML flows, both behind the common `IAuthenticationContext` interface.
+  Use pattern matching to access protocol-specific details. Returns `null` if the URL does not correspond to a valid
+  pending authorization request.
+
 * **`GetAuthorizationContextAsync(string? returnUrl, CancellationToken ct)`**
 
   Returns the `AuthorizationRequest` based on the `returnUrl` passed to the login or consent pages.