Align IdentityServer with products commit 5777b1ece2af0aa7f2270e08050ffa3a24bbd6da (#1085)

Author: maartenba

astro/src/content/docs/identityserver/reference/v8/services/device-flow-interaction-service.md

@@ -28,7 +28,7 @@ All async methods accept a `CancellationToken ct` parameter.
 
 * **`HandleRequestAsync(string userCode, ConsentResponse consent, CancellationToken ct)`**
 
-  Completes device authorization for the given `userCode`.
+  Completes device authorization for the given `userCode`. Note that `ConsentResponse.RememberConsent` is always treated as `false` in device flow. Consent is never persisted across device flow sessions. This follows [RFC 8628](https://www.rfc-editor.org/rfc/rfc8628) security guidance, since the device initiating the flow is different from the device where the user authenticates.
 
 ## DeviceFlowAuthorizationRequest
 

astro/src/content/docs/identityserver/ui/login/dynamicproviders.md

@@ -123,15 +123,15 @@ containing the dynamic providers.
 public interface IIdentityProviderStore
 {
     /// <summary>
-    /// Gets all identity providers name.
+    /// Gets the display names and scheme names of all registered identity providers.
     /// </summary>
-    Task<IEnumerable<IdentityProviderName>> GetAllSchemeNamesAsync();
+    Task<IReadOnlyCollection<IdentityProviderName>> GetAllSchemeNamesAsync(CancellationToken ct);
 
     // other APIs omitted
 }
 ```
 
-The `GetAllSchemeNamesAsync()` API returns a list of `IdentityProviderName` objects, which contain the scheme name and
+The `GetAllSchemeNamesAsync` API returns a read-only collection of `IdentityProviderName` objects, which contain the scheme name and
 display name of the provider and can be used on the login page, or in other places where you need this information.
 
 In the [IdentityServer Quickstart UI](https://github.com/DuendeSoftware/products/tree/main/identity-server/templates/src/UI/Pages/Account/Login/Index.cshtml.cs#l193-l210),
@@ -149,7 +149,7 @@ var providers = schemes
         AuthenticationScheme = x.Name
     }).ToList();
 
-var dynamicSchemes = (await _identityProviderStore.GetAllSchemeNamesAsync())
+var dynamicSchemes = (await _identityProviderStore.GetAllSchemeNamesAsync(HttpContext.RequestAborted))
     .Where(x => x.Enabled)
     .Select(x => new ExternalProvider
     {

astro/src/content/docs/identityserver/upgrades/v7_4-to-v8_0.md

@@ -192,7 +192,7 @@ builder.Services.AddIdentityServer()
 `System.TimeProvider` (available since .NET 8).
 
 ```diff lang="csharp" title="MyService.cs"
-- // Before (v7.x)0
+- // Before (v7.x)
 - public class MyService
 - {
 -     public MyService(IClock clock) { }
@@ -438,7 +438,33 @@ A new `Duende.IdentityServer.ConformanceReport` package generates an HTML report
 IdentityServer deployment against OAuth 2.1 and FAPI 2.0 specifications. See the
 [Conformance Report documentation](/identityserver/diagnostics/conformance-report/) for details.
 
-## Step 6: Done!
+### Device Flow Consent Is No Longer Remembered
+
+The device flow consent UI no longer offers a "Remember My Decision" option. `ConsentResponse.RememberConsent` is now always set to `false` during device flow authorization.
+
+This change follows [RFC 8628](https://www.rfc-editor.org/rfc/rfc8628) security guidance: because the device initiating the flow is different from the device where the user authenticates, persisting consent creates a cross-device phishing risk.
+
+**If you use the Duende UI templates for device flow**, this change is already applied. If you maintain a custom device flow consent page, remove the "remember consent" checkbox and ensure `ConsentResponse.RememberConsent` is set to `false` when calling `IDeviceFlowInteractionService.HandleRequestAsync`.
+
+## Step 6: Behavioral Changes
+
+### Secret Validator Log Level Changed from Error to Debug
+
+In `ApiSecretValidator` and `ClientSecretValidator`, "not found" log entries (e.g., "No API secret found", "No client with id '...' found") have been downgraded from `Error` to `Debug`. These outcomes are expected during the introspection endpoint's fallback authentication pattern and are not genuine errors.
+
+To compensate, `Warning`-level log entries have been added at the token endpoint, token revocation endpoint, and backchannel authentication endpoint when client validation fails, so genuine authentication failures remain visible to operators.
+
+**Impact:** If your monitoring or alerting watches for `Error`-level log entries from `ApiSecretValidator` or `ClientSecretValidator` to detect authentication failures, those alerts will no longer trigger. Update your alerting to watch for `Warning`-level entries at the endpoint level instead.
+
+### Audience Validation Now Accepts Single-Element Arrays
+
+When `StrictClientAssertionAudienceValidation` is enabled (or when a client assertion uses the `client-authentication+jwt` token type), the `aud` claim in `private_key_jwt` client assertions may now be either a plain string or a single-element JSON array containing the issuer identifier. Previously, only a plain string was accepted.
+
+This aligns with [draft-ietf-oauth-rfc7523bis](https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/), which permits the issuer identifier as the sole audience value in either form. Multi-element arrays are still rejected.
+
+**Impact:** Clients that send the `aud` claim as a single-element array (e.g., `"aud": ["https://your-issuer"]`) will now pass strict audience validation where they previously would have failed. No action is required unless you relied on the stricter behavior.
+
+## Step 7: Done!
 
 That's it. Of course, at this point you can and should test that your IdentityServer is updated and
 working properly.