Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

IdentityServer4 is public again

Maarten Balliauw
Two blue circles

Our Duende development team is committed to delivering the world's most secure, standards-compliant, trusted identity
solutions. While Duende IdentityServer is a fully supported and secure OpenID Connect and OAuth 2.0 framework for .NET
Core, IdentityServer4 has been out of support for a long time. The older IdentityServer4 contains multiple known
security vulnerabilities and bugs, and has outdated documentation.

With that background, we made the IdentityServer4 repository
private on February 17, 2025, resulting in our fork of the repository no longer being available to the general public.

With over 2000 forks available on GitHub for anyone to continue working with, the source code would stay around while no
longer endorsing it from its original location. In addition, back when Dominick Baier and Brock Allen forked
IdentityServer4 to start Duende, they made sure to keep around information and documentation captured in GitHub issues
in the new Duende organization.

The community feedback we received
convinced us we may have missed a few perspectives. While we stand by our reasoning for making the IdentityServer4
repository private, there is value in keeping archived issues and pull requests available as learning material - even
if they are considered outdated.

We are very grateful to everyone who raised their concerns and shared their reasons for wanting to keep the repository
public in an archived state.

Along with explaining how we will keep the IdentityServer4 repository public on GitHub, we also want to highlight the
Duende IdentityServer Community Edition.

A public IdentityServer4 archive

There are multiple important reasons why we made our repositories private. IdentityServer4 went out of support when .NET
Core 3.1 reached its end-of-support date of December 2022. IdentityServer4 contains several known security
vulnerabilities and bugs, while at the same providing outdated documentation and information.

For many years, the repository displayed a warning about these issues, as do the NuGet packages. However, we saw that
the source code was still being cloned, and the packages are still used - with folks actively putting vulnerable code
into production.

We made the repository private as we believe we cannot in good faith keep code on the Internet that will cause security
issues for users and their stakeholders. Thanks to community feedback, we are reconsidering our approach, and will:

  • Make the IdentityServer4 repository public in an archived (
    read-only) state.
  • Move the repository under the new DuendeArchive organization and make sure a
    redirect is in place from the original URL.
  • Create a branch named archive from the main branch, which contains the source code of IdentityServer4. This way,
    sources will stay available but need the intentional action of switching branches.
  • Ensure issues in the IdentityServer4 repository remain available and searchable on GitHub.
  • Keep only the README and LICENSE files available in the main branch, and update the README with practical
    information about the state of the repository and how to find the archive branch.

Duende IdentityServer and Community Edition

We stand by not wanting to see the unmaintained IdentityServer4 source code deployed to production, and want to
highlight that Duende IdentityServer Community Edition is
available to a broad group of developers. It can be used by individuals, for-profit companies with less than 1M USD
projected annual gross revenue, and non-profits with less than 1M USD annual budget. The Community Edition is a free
license with the same features as our Enterprise Edition.

Duende IdentityServer is supported and maintained, targets the latest .NET versions, and implements a number of new
specifications that were added to OpenID Connect over the past few years, such
as Pushed Authentication Requests (PAR) for which we
also contributed client-side code to .NET.

If you are currently on IdentityServer4 and looking at an upgrade path, please check
the various upgrade guides. In addition, we can connect
you with our network of partners who can help make your OpenID Connect-powered
solutions more compliant by migrating to a supported identity provider.

At Duende, we focus on helping individuals and organizations build secure systems, especially around identity
management. At the same time, we’re developers who see value in keeping information around for research purposes. We
believe that with these actions, we’re striking the balance between these two.

Thanks again for your feedback over the past weeks.