Duende Software Logo

Welcome to Duende IdentityServer

Meet Duende IdentityServer. A secure, flexible, and standards-compliant framework for OpenID Connect and OAuth 2.0. Use it as-is, or with full control of your UI, UX, business logic, and data. You decide.

v7.2.3

Get a License Learn More

Features

This dashboard provides access to various IdentityServer functionalities for demo purposes only.

Discovery Document

A discovery document where you can find metadata and links to all the endpoints, key material, etc.

Claims

See the claims for your current session.

Grants

Manage your stored grants.

CIBA

View your pending Client-Initiated Backchannel Authentication (CIBA) login requests.

References

To learn more about Duende products and how to implement them, check out our source repositories and samples.

Duende IdentityServer Source Code

The source code for the Duende IdentityServer and other Duende Products.

Ready-to-use Samples

Ready-to-use IdentityServer samples for .NET and ASP.NET Core

Demo Server Source Code

The source code for this demo server.

Demo clients

You can use this demo server for different types of clients. Use the below configurations to work with them in your own demo applications or use them in the IdentityServer sample projects.

Machine-to-machine communication can be done using client credentials.

m2m
Machine to machine (client credentials)
Client ID: m2m
Grant type: client credentials
Requires PKCE
Client secret: secret
Access token lifetime: 1h
Allowed scopes: api
m2m.jwt
Machine to machine (client credentials with JWT)
Client ID: m2m.jwt
Grant type: client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 1h
Allowed scopes: api
m2m.dpop
Machine to machine (client credentials)
Client ID: m2m.dpop
Grant type: client credentials
Requires PKCE
Requires the use of DPoP
Client secret: secret
Access token lifetime: 1h
Allowed scopes: api
m2m.dpop.nonce
Machine to machine (client credentials)
Client ID: m2m.dpop.nonce
Grant type: client credentials
Requires PKCE
Requires the use of DPoP and nonce
Client secret: secret
Access token lifetime: 1h
Allowed scopes: api
m2m.short
Machine to machine with short access token lifetime (client credentials)
Client ID: m2m.short
Grant type: client credentials
Requires PKCE
Client secret: secret
Access token lifetime: 0h 1m 15s
Allowed scopes: api
m2m.short.jwt
Machine to machine (client credentials with JWT)
Client ID: m2m.short.jwt
Grant type: client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 0h 1m 15s
Allowed scopes: api

Interactive clients use interactive user authentication via the OpenID Connect protocol.

interactive.confidential
Interactive client (Code with PKCE)
Client ID: interactive.confidential
Grant type: authorization code and client credentials
Requires PKCE
Client secret: secret
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
interactive.confidential.jwt
Interactive client (Code with PKCE) using private key JWT authentication
Client ID: interactive.confidential.jwt
Grant type: authorization code and client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
interactive.confidential.jar.jwt
Interactive client (Code with PKCE) using JAR and private key JWT
Client ID: interactive.confidential.jar.jwt
Grant type: authorization code and client credentials - requires JAR
Requires PKCE
Client secret: private key JWT
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
interactive.confidential.short
Interactive client with short token lifetime (Code with PKCE)
Client ID: interactive.confidential.short
Grant type: authorization code and client credentials
Requires PKCE
Client secret: secret
Access token lifetime: 0h 1m 15s
Allowed scopes: api openid profile email offline_access
interactive.confidential.short.jwt
Interactive client (Code with PKCE) using private key JWT authentication with short access token lifetime
Client ID: interactive.confidential.short.jwt
Grant type: authorization code and client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 0h 1m 15s
Allowed scopes: api openid profile email offline_access
interactive.confidential.short.jar.jwt
Interactive client (Code with PKCE) using JAR and private key JWT
Client ID: interactive.confidential.short.jar.jwt
Grant type: authorization code and client credentials - requires JAR
Requires PKCE
Client secret: private key JWT
Access token lifetime: 0h 1m 15s
Allowed scopes: api openid profile email offline_access
interactive.public
Interactive client (Code with PKCE)
Client ID: interactive.public
Grant type: authorization code
Requires PKCE
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
interactive.public.short
Interactive client with short token lifetime (Code with PKCE)
Client ID: interactive.public.short
Grant type: authorization code
Requires PKCE
Access token lifetime: 0h 1m 15s
Allowed scopes: api openid profile email offline_access
interactive.confidential.nopkce
Interactive client (Code without PKCE)
Client ID: interactive.confidential.nopkce
Grant type: authorization code and client credentials
Client secret: secret
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
interactive.confidential.hybrid
Interactive client (Code with Hybrid Flow)
Client ID: interactive.confidential.hybrid
Grant type: hybrid and client credentials
Client secret: secret
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
native.dpop
Native client (Code with PKCE + DPop)
Client ID: native.dpop
Grant type: authorization code
Requires PKCE
Requires the use of DPoP and nonce
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
device
Device Flow Client
Client ID: device
Grant type: device flow
Requires PKCE
Access token lifetime: 1h
Allowed scopes: api openid profile email offline_access
login
Client ID: login
Grant type: implicit
Requires PKCE
Access token lifetime: 1h
Allowed scopes: openid profile email

Sample APIs

This demo server provides several sample API endpoints:

RSA key for JWT/JAR samples

You can use the below RSA key for all clients requiring private key JWT authentication or JAR:

{
    "d":"GmiaucNIzdvsEzGjZjd43SDToy1pz-Ph-shsOUXXh-dsYNGftITGerp8bO1iryXh_zUEo8oDK3r1y4klTonQ6bLsWw4ogjLPmL3yiqsoSjJa1G2Ymh_RY_sFZLLXAcrmpbzdWIAkgkHSZTaliL6g57vA7gxvd8L4s82wgGer_JmURI0ECbaCg98JVS0Srtf9GeTRHoX4foLWKc1Vq6NHthzqRMLZe-aRBNU9IMvXNd7kCcIbHCM3GTD_8cFj135nBPP2HOgC_ZXI1txsEf-djqJj8W5vaM7ViKU28IDv1gZGH3CatoysYx6jv1XJVvb2PH8RbFKbJmeyUm3Wvo-rgQ",
    "dp":"YNjVBTCIwZD65WCht5ve06vnBLP_Po1NtL_4lkholmPzJ5jbLYBU8f5foNp8DVJBdFQW7wcLmx85-NC5Pl1ZeyA-Ecbw4fDraa5Z4wUKlF0LT6VV79rfOF19y8kwf6MigyrDqMLcH_CRnRGg5NfDsijlZXffINGuxg6wWzhiqqE",
    "dq":"LfMDQbvTFNngkZjKkN2CBh5_MBG6Yrmfy4kWA8IC2HQqID5FtreiY2MTAwoDcoINfh3S5CItpuq94tlB2t-VUv8wunhbngHiB5xUprwGAAnwJ3DL39D2m43i_3YP-UO1TgZQUAOh7Jrd4foatpatTvBtY3F1DrCrUKE5Kkn770M",
    "e":"AQAB",
    "kid":"ZzAjSnraU3bkWGnnAqLapYGpTyNfLbjbzgAPbbW2GEA",
    "kty":"RSA",
    "n":"wWwQFtSzeRjjerpEM5Rmqz_DsNaZ9S1Bw6UbZkDLowuuTCjBWUax0vBMMxdy6XjEEK4Oq9lKMvx9JzjmeJf1knoqSNrox3Ka0rnxXpNAz6sATvme8p9mTXyp0cX4lF4U2J54xa2_S9NF5QWvpXvBeC4GAJx7QaSw4zrUkrc6XyaAiFnLhQEwKJCwUw4NOqIuYvYp_IXhw-5Ti_icDlZS-282PcccnBeOcX7vc21pozibIdmZJKqXNsL1Ibx5Nkx1F1jLnekJAmdaACDjYRLL_6n3W4wUp19UvzB1lGtXcJKLLkqB6YDiZNu16OSiSprfmrRXvYmvD8m6Fnl5aetgKw",
    "p":"7enorp9Pm9XSHaCvQyENcvdU99WCPbnp8vc0KnY_0g9UdX4ZDH07JwKu6DQEwfmUA1qspC-e_KFWTl3x0-I2eJRnHjLOoLrTjrVSBRhBMGEH5PvtZTTThnIY2LReH-6EhceGvcsJ_MhNDUEZLykiH1OnKhmRuvSdhi8oiETqtPE",
    "q":"0CBLGi_kRPLqI8yfVkpBbA9zkCAshgrWWn9hsq6a7Zl2LcLaLBRUxH0q1jWnXgeJh9o5v8sYGXwhbrmuypw7kJ0uA3OgEzSsNvX5Ay3R9sNel-3Mqm8Me5OfWWvmTEBOci8RwHstdR-7b9ZT13jk-dsZI7OlV_uBja1ny9Nz9ts",
    "qi":"pG6J4dcUDrDndMxa-ee1yG4KjZqqyCQcmPAfqklI2LmnpRIjcK78scclvpboI3JQyg6RCEKVMwAhVtQM6cBcIO3JrHgqeYDblp5wXHjto70HVW6Z8kBruNx1AH9E8LzNvSRL-JVTFzBkJuNgzKQfD0G77tQRgJ-Ri7qu3_9o1M4"
}