TheIdServer use Duende IdentityServer, for a commercial use you need to acquire a license.
The server obtains configuration from appsettings.json, appsettings.{Environment}.json, command-line arguments, or environment variables.
Read Configuration in ASP.NET Core for more information.
The Terraform Helm module theidserver make the deployement of TheIdServer easy.
To deploy the Duende version choose the aguacongas/theidserver.duende image.
provider "helm" {
kubernetes {
config_path = var.kubeconfig_path
module "theidserver" {
source = "Aguafrommars/theidserver/helm"
host = ""
tls_issuer_name = "letsencrypt"
tls_issuer_kind = "ClusterIssuer"
image = {
repository = "aguacongas/theidserver.duende"
pullPolicy = "Always"
tag = "next"
The theidserver Helm chart is available in
helm repo add aguafrommars
helm install aguafrommars theidserver --set theidserver.mysql.db.password=my-P@ssword --set image.repository=aguacongas/theidserver.duende
By default the helm char install the IS4 version, to install the Duende version your need to set
Follow upgrades intstructions in the chart readme.
A server's Linux image is available on Docker Hub.
sample/MultiTiers/Aguacongas.TheIdServer.Private/Dockerfile.Duende-private demonstrates how to create an image from the server image to run a private Linux server container.
sample/MultiTiers/Aguacongas.TheIdServer.Public/Dockerfile.Duende-public illustrates how to create an image from the server image to run a public Linux server container.
Read Hosting ASP.NET Core images with Docker over HTTPS to set up the HTTPS certificate.
/sample/Kubernetes/ contains a sample to set up a solution with Kubernetes.
The sample use the IS4 version but you just need to use
as docker image in the deployement file.
The template TheIdServer.Duende.Template can be use to setup a TheIdServer solution.
dotnet new -i TheIdServer.Duende.Template
> dotnet new tisduende -o TheIdServer
The template "TheIdServer.Duende" was created successfully.
Processing post-creation actions...
Running 'dotnet restore' on TheIdServer\TheIdServer.sln...
Determining projects to restore...
Restored C:\Projects\Perso\Templates\artifacts\TheIdServer\test\WebAssembly.Net.Http\WebAssembly.Net.Http.csproj (in 114 ms).
Restored C:\Projects\Perso\Templates\artifacts\TheIdServer\src\TheIdServer.BlazorApp\TheIdServer.BlazorApp.csproj (in 916 ms).
Restored C:\Projects\Perso\Templates\artifacts\TheIdServer\test\Microsoft.AspNetCore.Components.Testing\Microsoft.AspNetCore.Components.Testing.csproj (in 1.08 sec).
Restored C:\Projects\Perso\Templates\artifacts\TheIdServer\src\TheIdServer\TheIdServer.csproj (in 2.03 sec).
Restored C:\Projects\Perso\Templates\artifacts\TheIdServer\test\TheIdServer.Test\TheIdServer.Test.csproj (in 2.04 sec).
Restored C:\Projects\Perso\Templates\artifacts\TheIdServer\test\TheIdServer.IntegrationTest\TheIdServer.IntegrationTest.csproj (in 2.04 sec).
Restore succeeded.
If you need more customization, you can use published NuGet packages. sample/MultiTiers contains a sample to build server and API from NuGet packages.
The sample use IS4 version but you just need to remplace IS4 by Duende in package reference to use the Duende version.
Choose your release in the list of releases and download the server zip.
Unzip in the destination of your choice. Unzip in the destination of your choice. As with any ASP.NET Core web site, it can run in IIS or as a stand-alone server using your chosen platform.
Read Host and deploy ASP.NET Core for more information.
Data protection provides details on data protection configuration.
The site name is defined by SiteOptions:TheIdServer.
"SiteOptions": {
"Name": "TheIdServer"
The site stylecheets are wwwroot/lib/bootstrap/css/bootstrap.css and wwwroot/css/site.min.css.
The site logo is wwwroot/logo.png.
And the favicon is wwwroot/favicon.ico.
By replacing those files you can redefined the site style by yours.
The section AccountOptions is bound to AccountOptions
"AccountOptions": {
"AllowLocalLogin": true,
"AllowRememberLogin": true,
"RememberMeLoginDuration": "30.00:00:00",
"ShowLogoutPrompt": true,
"AutomaticRedirectAfterSignOut": false,
"InvalidCredentialsErrorMessage": "Invalid username or password",
"ShowForgotPassworLink": true,
"ShowRegisterLink": true,
"ShowResendEmailConfirmationLink": true
The section IdentityOptions is bound to the class Microsoft.AspNetCore.Identity.IdentityOptions
So you can set any ASP.Net Core Identity options you want from configuration
"IdentityOptions": {
"User": {
"AllowedUserNameCharacters": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+ "
"SignIn": {
"RequireConfirmedAccount": true
Read OWASP Password Storage Cheat Sheet to choose and configure your password hasher.
is the default hasher used by ASP.Net Core Identity.
You can hash password using PBKDF2 if the upgrade password hasher is configured to use Microsoft.AspNetCore.Identity.PasswordHasher
The section PasswordHasherOptions is bound to the class Microsoft.AspNetCore.Identity.PasswordHasherOptions
So you can set any Microsoft.AspNetCore.Identity.PasswordHasherOptions
properties you want from configuration.
"PasswordHasherOptions": {
"IterationCount": 600000
You can hash password using Argon2id if the upgrade password hasher is configured to use Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher
The section Argon2PasswordHasherOptions is bound to the class Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasherOptions
So you can set any Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasherOptions
properties you want from configuration.
"Argon2PasswordHasherOptions": {
"Interations": 2,
"Memory": 67108864
You can hash password using scrypt if the upgrade password hasher is configured to use Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasher
The section ScryptPasswordHasherOptions is bound to the class Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasherOptions
So you can set any Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasherOptions
properties you want from configuration.
"ScryptPasswordHasherOptions": {
"IterationCount": 131072,
"BlockSize": 8,
"ThreadCount": 1
You can hash password using bcrypt if the upgrade password hasher is configured to use Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasher
The section BcryptPasswordHasherOptions is bound to the class Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasherOptions
So you can set any Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasherOptions
properties you want from configuration.
"BcryptPasswordHasherOptions": {
"WorkFactor": 11
Upgrade password hasher is used to manage hash migration between old password hashing algorithm to the new one to use.
In previous version of TheIdServer password was hashed with PBKDF2 by default ASP.Net Core Identity password hasher with its default configuration.
Now you can choose between Argon2id, scrypt, bcrypt and PBKDF2 by settings the hasher to use.
Read Password Hasher to rehash password to a new algorithm for ASP.NET Core Identity. for more information.
The section UpgradePasswordHasherOptions is bound to the class Aguacongas.TheIdServer.Identity.UpgradePasswordHasher.UpgradePasswordHasherOptions
So you can set any Aguacongas.TheIdServer.Identity.UpgradePasswordHasher.UpgradePasswordHasherOptions
properties you want from configuration.
"UpgradePasswordHasherOptions": {
"HashPrefixMaps": {
"0": "Microsoft.AspNetCore.Identity.PasswordHasher",
"1": "Microsoft.AspNetCore.Identity.PasswordHasher",
"162": "Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher",
"12": "Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasher",
"188": "Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasher"
"UsePasswordHasherTypeName": "Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher"
The section IdentityServerOptions is bound to the class Duende.IdentityServer.Configuration.IdentityServerOptions
So you can set any Duende IdentityServer options you want from configuration (but key management options).
"IdentityServerOptions": {
"Events": {
"RaiseErrorEvents": true,
"RaiseInformationEvents": true,
"RaiseFailureEvents": true,
"RaiseSuccessEvents": true
"Endpoints": {
"EnableJwtRequestUri": true
You can add customs entries to the genererated discovery document with IdentityServerOptions sub section CustomEntriesOfStringArray, CustomEntriesOfString and CustomEntriesOfBool
"IdentityServerOptions": {
"CustomEntriesOfStringArray": {
"token_endpoint_auth_signing_alg_values_supported": [
The sample above will add "token_endpoint_auth_signing_alg_values_supported"
node to the generated document.
When Muutal TLS is enabled, you can configure the client certificate authentication options with CertificateAuthenticationOptions
"IdentityServerOptions": {
"MutualTls": {
"Enabled": true
"CertificateAuthenticationOptions": {
"AllowedCertificateTypes": "All",
"ValidateCertificateUse": false,
"ValidateValidityPeriod": false,
"RevocationMode": "NoCheck"
When Mutual TLS is enabled the client certificate can be read in PEM format from request header. For exemple if you use a kubernetes NGINX ingress you can configure it to send the client certificate to the backend in the ssl-client-cert header. See Client Certificate Authentication.
To retrieve the client certificate from the request header confiure the MutualTls
sub section like :
"IdentityServerOptions": {
"MutualTls": {
"Enabled": true,
"PEMHeader": "ssl-client-cert"
Read Server-side sessions
The server supports SqlServer, Sqlite, MySql, PostgreSQL, Oracle, and InMemory databases.
Use DbType to the define the database engine.
"DbType": "SqlServer"
And ConnectionStrings:DefaultConnection to define the connection string.
"ConnectionStrings": {
"DefaultConnection": "Data Source=(LocalDb)\\MSSQLLocalDB;database=TheIdServer;trusted_connection=yes;"
A devart dotConnect for Oracle license is a requirement for Oracle.
Use DbType to the define the RavenDb database engine.
"DbType": "RavenDb"
And RavenDbOptions to define the RavenDb options.
"RavenDbOptions": {
"Urls": [
"Database": "TheIdServer",
"CertificatePath": "cluster.admin.client.certificate.pfx",
"CertificatePassword": "p@$$w0rd"
As no
will be registered, you cannot store signing keys in EF but you can choose theRavenDb
storage kind (see Configure signin keys):
"IdentityServer": {
"Key": {
"StorageKind": "RavenDb"
"DataProtectionOptions": {
"StorageKind": "RavenDb"
The server support RavenDb 4.1 and above.
Use DbType to the define the RavenDb database engine.
"DbType": "MongoDb"
And ConnectionStrings:DefaultConnection to define the connection string.
"ConnectionStrings": {
"DefaultConnection": "mongodb+srv://"
We cannot used another database than the default database defined in the connection string.
As no
will be registered, you cannot store signing keys in EF but you can choose theMongoDb
storage kind (see Configure signin keys):
"IdentityServer": {
"Key": {
"StorageKind": "MongoDb"
"DataProtectionOptions": {
"StorageKind": "MongoDb"
If you don't want to expose a database with your server, you can set up a second server on a private network accessing the database and use this private server API to access data.
"Proxy": true,
"PrivateServerAuthentication": {
"Authority": "https://theidserverprivate",
"ApiUrl": "https://theidserverprivate/api",
"ClientId": "public-server",
"ClientSecret": "84137599-13d6-469c-9376-9e372dd2c1bd",
"Scope": "theidserveradminapi",
"HttpClientName": "is4"
"SignalR": {
"HubUrl": "https://theidserverprivate/providerhub"
"HubOptions": {
"EnableDetailedErrors": true
"UseMessagePack": true
Start the server with proxy mode enabled.
Defines how to authenticate the public server on private server API.
Defines the SignalR client configuration.
This client is used to update the external provider configuration of a running instance. When an external provider configuration changes, the API sends a SignalR notification to inform other running instances.
For more information, read Load balancing scenario.
The SignalR hub accepts requests at /providerhub and supports the MessagePack protocol.
For more information, read Use MessagePack Hub Protocol in SignalR for ASP.NET Core.
Starting the server with the /seed command-line argument creates the database with initial data. Alternatively, configure the server with the following to create a database with initial users, protected resources, identity resources, and clients.
"Migrate": true,
"Seed": true
- Is4-Writer authorizes users in this role to write data.
- Is4-Reader permits users in this role to read data.
- profile default profile resource with role claim
- openid default OpenID resource
- address default address resource
- email default email resource
- phone default phone resource
Users defined in InitialData:Users
configuration section are loaded and stored to the DB.
Default configuration:
"InitialData": {
"Users": [
"UserName": "alice",
"Email": "",
"EmailConfirmed": true,
"PhoneNumber": "+41766403736",
"PhoneNumberConfirmed": true,
"Password": "Pass123$",
"Roles": [
"Claims": [
"ClaimType": "name",
"ClaimValue": "Alice Smith"
"ClaimType": "given_name",
"ClaimValue": "Alice"
"ClaimType": "family_name",
"ClaimValue": "Smith"
"ClaimType": "middle_name",
"ClaimValue": "Alice Smith"
"ClaimType": "nickname",
"ClaimValue": "alice"
"ClaimType": "website",
"ClaimValue": ""
"ClaimType": "address",
"ClaimValue": "{ \"street_address\": \"One Hacker Way\", \"locality\": \"Heidelberg\", \"postal_code\": \"69118\", \"country\": \"Germany\" }",
"ClaimType": "birthdate",
"ClaimValue": "1970-01-01"
"ClaimType": "zoneinfo",
"ClaimValue": "ch"
"ClaimType": "gender",
"ClaimValue": "female"
"ClaimType": "profile",
"ClaimValue": ""
"ClaimType": "locale",
"ClaimValue": "fr"
"ClaimType": "picture",
"ClaimValue": ""
A user with Is4-Writer and Is4-Reader roles is required to use the admin app.
Apis defined in InitialData:Apis
configuration section are loaded and stored to the DB.
Default configuration:
"InitialData": {
"Apis": [
"Name": "theidserveradminapi",
"DisplayName": "TheIdServer admin API",
"UserClaims": [
"ApiSecrets": [
"Type": "SharedSecret",
"Value": "5b556f7c-b3bc-4b5b-85ab-45eed0cb962d"
"Scopes": [
The api theidserveradminapi is required for the admin app.
ApiScopes defined in InitialData:ApiScopes
configuration section are loaded and stored to the DB.
Default configuration:
"InitialData": {
"ApiScopes": [
"Name": "theidserveradminapi",
"DisplayName": "TheIdServer admin API",
"UserClaims": [
The scope theidserveradminapi is required for the admin app.
Clients defined in InitialData:Clients
configuration section are loaded and stored to the DB.
Default configuration:
"InitialData": {
"Clients": [
"ClientId": "theidserveradmin",
"ClientName": "TheIdServer admin SPA Client",
"ClientUri": "https://localhost:5443/",
"ClientClaimsPrefix": null,
"AllowedGrantTypes": [ "authorization_code" ],
"RequirePkce": true,
"RequireClientSecret": false,
"BackChannelLogoutSessionRequired": false,
"FrontChannelLogoutSessionRequired": false,
"RedirectUris": [
"PostLogoutRedirectUris": [
"AllowedCorsOrigins": [
"AllowedScopes": [
"AccessTokenType": "Reference"
"ClientId": "public-server",
"ClientName": "Public server Credentials Client",
"ClientClaimsPrefix": null,
"AllowedGrantTypes": [ "client_credentials" ],
"ClientSecrets": [
"Type": "SharedSecret",
"Value": "84137599-13d6-469c-9376-9e372dd2c1bd"
"Claims": [
"Type": "role",
"Value": "Is4-Writer"
"Type": "role",
"Value": "Is4-Reader"
"BackChannelLogoutSessionRequired": false,
"FrontChannelLogoutSessionRequired": false,
"AllowedScopes": [
"AccessTokenType": "Reference"
The client theidserveradmin is required by the admin app. The client public-server is required to call web apis and server side prerendering of the admin app.
TheIdServer can be configured with a keys rotation mechanism instead of a single key.
Read Keys rotation to know how to configure it.
"IdentityServer": {
"Key": {
"Type": "KeysRotation",
"StorageKind": "EntityFramework"
"IdentityServer": {
"Key": {
"Type": "File",
"FilePath": "{path to the .pfx}",
"Password": "{.pfx password}"
Read Example: Deploy to Azure Websites
By default, the server uses SendGrid to send Emails by calling the API at /api/email
"SendGridUser": "your user",
"SendGridKey": "your SendGrid key"
If you prefer to use your Email sender, implement a Web API receiving a POST request with the json:
"subject": "Email subject",
"message": "Email message",
"addresses": [
And update the EmailApiAuthentication configuration section:
"EmailApiAuthentication": {
"Authority": "https://localhost:5443",
"ApiUrl": "https://localhost:5443/api/email",
"ClientId": "public-server",
"ClientSecret": "84137599-13d6-469c-9376-9e372dd2c1bd",
"Scope": "theidserveradminapi",
"HttpClientName": "email"
If you want to use the same authentication configuration and token for both EmailApi and PrivateServer, you can simplify it by sharing the same HttpClientName.
"EmailApiAuthentication": {
"ApiUrl": "https://localhost:5443/api/email",
"HttpClientName": "is4"
By default, the issuer for the 2fa authenticator is Aguacongas.TheIdServer.
To update this value, set AuthenticatorIssuer with your issuer.
"AuthenticatorIssuer": "TheIdServer"
The ApiAuthentication section defines the authentication configuration for the API.
"ApiAuthentication": {
"Authority": "https://localhost",
"RequireHttpsMetadata": false,
"SupportedTokens": "Both",
"ApiName": "theidserveradminapi",
"ApiSecret": "5b556f7c-b3bc-4b5b-85ab-45eed0cb962d",
"EnableCaching": true,
"CacheDuration": "0:10:0",
"LegacyAudienceValidation": true
To enable the API documentation, set EnableOpenApiDoc to true
"EnableOpenApiDoc": true
Use the section SwaggerUiSettings to configure the swagger client authentication.
"SwaggerUiSettings": {
"Path": "/api/swagger",
"OAuth2Client": {
"ClientId": "theidserver-swagger",
"AppName": "TheIdServer Swagger UI",
"UsePkceWithAuthorizationCodeGrant": true
"WithCredentials": true
The section CorsAllowedOrigin defines allowed CORS origins.
"CorsAllowedOrigin": [
To disable HTTPS, set DisableHttps to false
"DisableHttps": true
If you use a self-signed certificate, you can disable strict-SSL by settings DisableStrictSsl to true
"DisableStrictSsl": true
The section ForwardedHeadersOptions is bound to the class Microsoft.AspNetCore.Builder.ForwardedHeadersOptions
"ForwardedHeadersOptions": {
"ForwardedHeaders": "All"
Some reverses proxies don't' forward headers. You can force HTTP requests schemes to https by settings ForceHttpsScheme.
"ForceHttpsScheme": true
The Aguacongas.AspNetCore.Authentication library dynamically configures external providers.
In a load-balanced configuration, the provider hub informs other running instances that an external provider configuration changes.
The SignalR section defines the configuration for both the SignalR hub and the client.
"SignalR": {
"HubUrl": "https://theidserverprivate/providerhub",
"HubOptions": {
"EnableDetailedErrors": true
"UseMessagePack": true,
"RedisConnectionString": "redis:6379",
"RedisOptions": {
"Configuration": {
"ChannelPrefix": "TheIdServer"
If needed, the hub can use a Redis backplane. SignalR:RedisConnectionString and SignalR:RedisOptions configures the backplane.
SignalR:RedisOptions is bound to an instance of Microsoft.AspNetCore.SignalR.StackExchangeRedis.RedisOptions
at startup.
The Serilog section defines the Serilog configuration.
"Serilog": {
"LevelSwitches": {
"$controlSwitch": "Information"
"MinimumLevel": {
"ControlledBy": "$controlSwitch"
"WriteTo": [
"Name": "Seq",
"Args": {
"serverUrl": "http://localhost:5341",
"controlLevelSwitch": "$controlSwitch",
"apiKey": "DVYuookX2vOq078fuOyJ"
"Name": "Console",
"Args": {
"outputTemplate": "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}",
"theme": "Serilog.Sinks.SystemConsole.Themes.AnsiConsoleTheme::Literate, Serilog.Sinks.Console"
"Name": "Debug",
"Args": {
"outputTemplate": "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}"
"Enrich": [
For more details, read Serilog.Settings.Configuration.
Claims provider provides details on claims proivder configuration.
The token cleaner task removes expired tokens periodically. To configure the interval, use TokenCleanupInterval.
"TokenCleanupInterval": "00:05:00"
To disable the task, use DisableTokenCleanup.
"DisableTokenCleanup": true
The task is not enabled on proxy server.
The server supports OpenID Connect Dynamic Client Registration.
New client registration is allowed to users with the Is4-Writer role by sending the user access token or to contacts defined in DynamicClientRegistrationOptions section.
"DynamicClientRegistrationOptions": {
"AllowedContacts": [
"Contact": "",
"AllowedHosts": [
It this case, the client registration request must contain the contacts array.
request sample
"client_name": "oidc_cert_client gUPPBlHIEAqNOYR",
"grant_types": [
"response_types": [
"redirect_uris": [
"contacts": [
Tokens returned by request_uri parameter are validated using the rules defined in TokenValidationParameters section. By default, the following rules are defined.
"TokenValidationParameters": {
"ValidateIssuer": false,
"ValidateAudience": false,
"ValidateIssuerSigningKey": false,
"ValidateLifetime": false,
"RequireAudience": false,
"RequireExpirationTime": false,
"RequireSignedTokens": false
To enable JWT request uri, set EnableJwtRequestUri to true in IdentityServerOptions:Endpoints
"IdentityServerOptions": { "Endpoints": { "EnableJwtRequestUri": true } },
Read Aguacongas.IdentityServer.WsFederation.Duende
Read DUENDE CIBA INTEGRATION/Notification service
The server and the blazor app integrate Aguafrommars/DynamicConfiguration. Most of the configuration can be ovveriden using the blazor app.
Use DynamicConfigurationOptions to define the dynamic configuration provider.
"DynamicConfigurationOptions": {
"ProviderType": "Aguacongas.DynamicConfiguration.Redis.RedisConfigurationProvider, Aguacongas.DynamicConfiguration.Redis"
Use RedisConfigurationOptions section to configure the Redis db.
"RedisConfigurationOptions": {
"ConnectionString": "localhost",
"HashKey": "Aguacongas.TheIdServer.Duende",
"Channel": "Aguacongas.TheIdServer.Duende.Channel"
The server expose an health checks enpoint you can use for docker on kubernetes at /healthz.
The endpoit return a json reponse depending on the store kind used and redis dependencies :
"status": "Healthy",
"results": {
"ConfigurationDbContext": {
"status": "Healthy"
"OperationalDbContext": {
"status": "Healthy"
"ApplicationDbContext": {
"status": "Healthy"
"DynamicConfigurationRedis": {
"status": "Healthy"
Configure OpenTelemetry doc provides details on OpenTelemetry configuration.
- Host and deploy ASP.NET Core
- DymamicAuthProviders
- Set up a Redis backplane for ASP.NET Core SignalR scale-out
- Microsoft.AspNetCore.SignalR.StackExchangeRedis.RedisOptions
- Serilog.Settings.Configuration
- Hosting ASP.NET Core images with Docker over HTTPS
- OpenID Connect Dynamic Client Registration
- Aguafrommars/DynamicConfiguration
- OpenTelemetry