Welcome to Duende IdentityServer
Meet Duende IdentityServer. A secure, flexible, and standards-compliant framework for OpenID Connect and OAuth 2.0. Use it as-is, or with full control of your UI, UX, business logic, and data. You decide.
v7.2.3
Features
This dashboard provides access to various IdentityServer functionalities for demo purposes only.
Discovery Document
A discovery document where you can find metadata and links to all the endpoints, key material, etc.
Claims
See the claims for your current session.
Grants
Manage your stored grants.
CIBA
View your pending Client-Initiated Backchannel Authentication (CIBA) login requests.
References
To learn more about Duende products and how to implement them, check out our source repositories and samples.
Duende IdentityServer Source Code
The source code for the Duende IdentityServer and other Duende Products.
Ready-to-use Samples
Ready-to-use IdentityServer samples for .NET and ASP.NET Core
Demo Server Source Code
The source code for this demo server.
Demo clients
You can use this demo server for different types of clients. Use the below configurations to work with them in your own demo applications or use them in the IdentityServer sample projects.
Machine-to-machine communication can be done using client credentials.
m2m
Machine to machine (client credentials)
m2mGrant type: client credentials
Requires PKCE
Client secret:
secret
Access token lifetime: 1h
Allowed scopes:
api
m2m.jwt
Machine to machine (client credentials with JWT)
m2m.jwtGrant type: client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 1h
Allowed scopes:
api
m2m.dpop
Machine to machine (client credentials)
m2m.dpopGrant type: client credentials
Requires PKCE
Requires the use of DPoP
Client secret:
secret
Access token lifetime: 1h
Allowed scopes:
api
m2m.dpop.nonce
Machine to machine (client credentials)
m2m.dpop.nonceGrant type: client credentials
Requires PKCE
Requires the use of DPoP and nonce
Client secret:
secret
Access token lifetime: 1h
Allowed scopes:
api
m2m.short
Machine to machine with short access token lifetime (client credentials)
m2m.shortGrant type: client credentials
Requires PKCE
Client secret:
secret
Access token lifetime: 0h 1m 15s
Allowed scopes:
api
m2m.short.jwt
Machine to machine (client credentials with JWT)
m2m.short.jwtGrant type: client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 0h 1m 15s
Allowed scopes:
api
Interactive clients use interactive user authentication via the OpenID Connect protocol.
interactive.confidential
Interactive client (Code with PKCE)
interactive.confidentialGrant type: authorization code and client credentials
Requires PKCE
Client secret:
secret
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.jwt
Interactive client (Code with PKCE) using private key JWT authentication
interactive.confidential.jwtGrant type: authorization code and client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.jar.jwt
Interactive client (Code with PKCE) using JAR and private key JWT
interactive.confidential.jar.jwtGrant type: authorization code and client credentials - requires JAR
Requires PKCE
Client secret: private key JWT
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.short
Interactive client with short token lifetime (Code with PKCE)
interactive.confidential.shortGrant type: authorization code and client credentials
Requires PKCE
Client secret:
secret
Access token lifetime: 0h 1m 15s
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.short.jwt
Interactive client (Code with PKCE) using private key JWT authentication with short access token lifetime
interactive.confidential.short.jwtGrant type: authorization code and client credentials
Requires PKCE
Client secret: private key JWT
Access token lifetime: 0h 1m 15s
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.short.jar.jwt
Interactive client (Code with PKCE) using JAR and private key JWT
interactive.confidential.short.jar.jwtGrant type: authorization code and client credentials - requires JAR
Requires PKCE
Client secret: private key JWT
Access token lifetime: 0h 1m 15s
Allowed scopes:
api
openid
profile
email
offline_access
interactive.public
Interactive client (Code with PKCE)
interactive.publicGrant type: authorization code
Requires PKCE
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
interactive.public.short
Interactive client with short token lifetime (Code with PKCE)
interactive.public.shortGrant type: authorization code
Requires PKCE
Access token lifetime: 0h 1m 15s
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.nopkce
Interactive client (Code without PKCE)
interactive.confidential.nopkceGrant type: authorization code and client credentials
Client secret:
secret
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
interactive.confidential.hybrid
Interactive client (Code with Hybrid Flow)
interactive.confidential.hybridGrant type: hybrid and client credentials
Client secret:
secret
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
native.dpop
Native client (Code with PKCE + DPop)
native.dpopGrant type: authorization code
Requires PKCE
Requires the use of DPoP and nonce
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
device
Device Flow Client
deviceGrant type: device flow
Requires PKCE
Access token lifetime: 1h
Allowed scopes:
api
openid
profile
email
offline_access
login
loginGrant type: implicit
Requires PKCE
Access token lifetime: 1h
Allowed scopes:
openid
profile
email
Sample APIs
This demo server provides several sample API endpoints:
-
You can call a test API at
https://demo.duendesoftware.com/api/test. This accepts Bearer token requests. -
You can call a test API at
https://demo.duendesoftware.com/api/dpop/test. This accepts DPoP token requests.
RSA key for JWT/JAR samples
You can use the below RSA key for all clients requiring private key JWT authentication or JAR:
{
"d":"GmiaucNIzdvsEzGjZjd43SDToy1pz-Ph-shsOUXXh-dsYNGftITGerp8bO1iryXh_zUEo8oDK3r1y4klTonQ6bLsWw4ogjLPmL3yiqsoSjJa1G2Ymh_RY_sFZLLXAcrmpbzdWIAkgkHSZTaliL6g57vA7gxvd8L4s82wgGer_JmURI0ECbaCg98JVS0Srtf9GeTRHoX4foLWKc1Vq6NHthzqRMLZe-aRBNU9IMvXNd7kCcIbHCM3GTD_8cFj135nBPP2HOgC_ZXI1txsEf-djqJj8W5vaM7ViKU28IDv1gZGH3CatoysYx6jv1XJVvb2PH8RbFKbJmeyUm3Wvo-rgQ",
"dp":"YNjVBTCIwZD65WCht5ve06vnBLP_Po1NtL_4lkholmPzJ5jbLYBU8f5foNp8DVJBdFQW7wcLmx85-NC5Pl1ZeyA-Ecbw4fDraa5Z4wUKlF0LT6VV79rfOF19y8kwf6MigyrDqMLcH_CRnRGg5NfDsijlZXffINGuxg6wWzhiqqE",
"dq":"LfMDQbvTFNngkZjKkN2CBh5_MBG6Yrmfy4kWA8IC2HQqID5FtreiY2MTAwoDcoINfh3S5CItpuq94tlB2t-VUv8wunhbngHiB5xUprwGAAnwJ3DL39D2m43i_3YP-UO1TgZQUAOh7Jrd4foatpatTvBtY3F1DrCrUKE5Kkn770M",
"e":"AQAB",
"kid":"ZzAjSnraU3bkWGnnAqLapYGpTyNfLbjbzgAPbbW2GEA",
"kty":"RSA",
"n":"wWwQFtSzeRjjerpEM5Rmqz_DsNaZ9S1Bw6UbZkDLowuuTCjBWUax0vBMMxdy6XjEEK4Oq9lKMvx9JzjmeJf1knoqSNrox3Ka0rnxXpNAz6sATvme8p9mTXyp0cX4lF4U2J54xa2_S9NF5QWvpXvBeC4GAJx7QaSw4zrUkrc6XyaAiFnLhQEwKJCwUw4NOqIuYvYp_IXhw-5Ti_icDlZS-282PcccnBeOcX7vc21pozibIdmZJKqXNsL1Ibx5Nkx1F1jLnekJAmdaACDjYRLL_6n3W4wUp19UvzB1lGtXcJKLLkqB6YDiZNu16OSiSprfmrRXvYmvD8m6Fnl5aetgKw",
"p":"7enorp9Pm9XSHaCvQyENcvdU99WCPbnp8vc0KnY_0g9UdX4ZDH07JwKu6DQEwfmUA1qspC-e_KFWTl3x0-I2eJRnHjLOoLrTjrVSBRhBMGEH5PvtZTTThnIY2LReH-6EhceGvcsJ_MhNDUEZLykiH1OnKhmRuvSdhi8oiETqtPE",
"q":"0CBLGi_kRPLqI8yfVkpBbA9zkCAshgrWWn9hsq6a7Zl2LcLaLBRUxH0q1jWnXgeJh9o5v8sYGXwhbrmuypw7kJ0uA3OgEzSsNvX5Ay3R9sNel-3Mqm8Me5OfWWvmTEBOci8RwHstdR-7b9ZT13jk-dsZI7OlV_uBja1ny9Nz9ts",
"qi":"pG6J4dcUDrDndMxa-ee1yG4KjZqqyCQcmPAfqklI2LmnpRIjcK78scclvpboI3JQyg6RCEKVMwAhVtQM6cBcIO3JrHgqeYDblp5wXHjto70HVW6Z8kBruNx1AH9E8LzNvSRL-JVTFzBkJuNgzKQfD0G77tQRgJ-Ri7qu3_9o1M4"
}