Document licensing details for Business and Enterprise Edition-specific features across IdentityServer docs.

Author: maartenba

src/content/docs/identityserver/configuration/dcr.mdx

@@ -76,9 +76,8 @@ create a new ASP.NET Core Web application which will host the Configuration API.
     ```
 
     :::note
-    The Configuration API feature is included in the Duende IdentityServer Business
-    edition license and higher. Use the same license key for IdentityServer and the
-    Configuration API.
+    This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+    Configure the same license key for IdentityServer and the Configuration API.
     :::
 
 4. **Add and configure the client configuration store**

src/content/docs/identityserver/configuration/index.md

@@ -18,10 +18,11 @@ The Configuration API is a collection of endpoints that allow for management and
 implementation. The Configuration API can be hosted either separately or within the IdentityServer implementation, and is
 distributed through the separate [Duende.IdentityServer.Configuration NuGet package](https://www.nuget.org/packages/Duende.IdentityServer.Configuration).
 
-Currently, the Configuration API supports the [Dynamic Client Registration](/identityserver/configuration/dcr.mdx) protocol. 
+Currently, the Configuration API supports the [Dynamic Client Registration](/identityserver/configuration/dcr.mdx) protocol.
 
-The Configuration API is part of the [Duende IdentityServer](https://duendesoftware.com/products/identityserver) Business Edition or higher. The same [license](https://duendesoftware.com/products/identityserver#pricing) 
-and [special offers](https://duendesoftware.com/specialoffers) apply.
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
 
 The Configuration API source code is available [on GitHub](https://github.com/DuendeSoftware/products/tree/main/identity-server/src/Configuration).
 

src/content/docs/identityserver/fundamentals/key-management.md

@@ -39,8 +39,9 @@ material, including
 * announcement of upcoming new keys
 * maintenance of retired keys
 
-Automatic Key Management is included in [IdentityServer](https://duendesoftware.com/products/identityserver) Business
-Edition or higher.
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
 
 ### Configuration
 
@@ -60,7 +61,7 @@ has passed, keys are removed from discovery, and optionally deleted.
 
 The default is to rotate keys every 90 days, announce new keys with 14 days of
 propagation time, retain old keys for a duration of 14 days, and to delete keys
-when they are retired. 
+when they are retired.
 
 ```mermaid
 ---
@@ -73,12 +74,12 @@ config:
 gantt
     title 90 Day Key Rotation Schedule per Signing Algorithm
     todayMarker off
-        
+
     section RS256
         Signing   :active, rsa_s, 2025-01-01, 76d
         Retire    :rsa_r, after rsa_s, 14d
         Delete    :crit, rsa_d, after rsa_r, 1d
-        
+
         Announce  :rsa_na,  2025-03-03, 14d
         Signing   :active, rsa_ns, after rsa_na, 62d
         Retire    :rsa_nr, after rsa_ns, 14d
@@ -100,13 +101,13 @@ All of these options are configurable in the `KeyManagement` options. For exampl
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{   
+{
     // new key every 30 days
     options.KeyManagement.RotationInterval = TimeSpan.FromDays(30);
-    
+
     // announce new key 2 days in advance in discovery
     options.KeyManagement.PropagationTime = TimeSpan.FromDays(2);
-    
+
     // keep old key for 7 days in discovery for validation of tokens
     options.KeyManagement.RetentionDuration = TimeSpan.FromDays(7);
 
@@ -139,7 +140,7 @@ access to the `KeyPath`.
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{   
+{
     // set path to store keys
     options.KeyManagement.KeyPath = "/home/shared/keys";
 });
@@ -169,7 +170,7 @@ an X.509 certificate. Automatic key management will create and rotate keys for
 each signing algorithm you specify.
 
 :::note
-*X.509 certificates* have an expiration date, but IdentityServer does
+_X.509 certificates_ have an expiration date, but IdentityServer does
 not use this data to validate the certificate and throw an exception. If a certificate has expired then you
 must decide whether to continue using it or replace it with a new certificate.
 :::
@@ -179,10 +180,10 @@ options.KeyManagement.SigningAlgorithms = new[]
 {
     // RS256 for older clients (with additional X.509 wrapping)
     new SigningAlgorithmOptions(SecurityAlgorithms.RsaSha256) { UseX509Certificate = true },
-    
+
     // PS256
     new SigningAlgorithmOptions(SecurityAlgorithms.RsaSsaPssSha256),
-    
+
     // ES256
     new SigningAlgorithmOptions(SecurityAlgorithms.EcdsaSha256)
 };
@@ -200,7 +201,7 @@ resource and client basis.
 Instead of using [Automatic Key Management](#automatic-key-management), IdentityServer's signing keys can be set
 manually. Automatic Key Management is generally recommended, but if you want to
 explicitly control your keys statically, or you have a license that does not
-include the feature (e.g. the Starter Edition), you will need to manually manage
+include the feature, you will need to manually manage
 your keys. With static configuration you are responsible for secure storage,
 loading and rotation of keys.
 
@@ -378,7 +379,7 @@ key as a validation key.
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = false;
 });
 
@@ -406,7 +407,7 @@ the signing credential and validation key.
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = false;
 });
 
@@ -428,7 +429,7 @@ old key, it is safe to completely remove the old key.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = false;
 });
 
@@ -473,7 +474,7 @@ key. IdentityServer will continue to sign keys with your old static key.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = true;
 });
 
@@ -491,7 +492,7 @@ keep the old key for validation purposes.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = true;
 });
 
@@ -508,7 +509,7 @@ Now the static key configuration can be removed entirely.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = true;
 });
 ```

src/content/docs/identityserver/fundamentals/resources/isolation.md

@@ -11,10 +11,10 @@ redirect_from:
 ---
 
 :::note
-This is an Enterprise Edition feature.
+This feature is part of the [Duende IdentityServer Enterprise Edition](https://duendesoftware.com/products/identityserver).
 :::
 
-OAuth itself only knows about scopes - the (API) resource concept does not exist from a pure protocol point of view. 
+OAuth itself only knows about scopes - the (API) resource concept does not exist from a pure protocol point of view.
 This means that all the requested scope and audience combination get merged into a single access token.
 This has a couple of downsides:
 
@@ -25,8 +25,8 @@ This has a couple of downsides:
     * resource specific processing like signing or encryption algorithms conflict
 * without sender-constraints, a resource could potentially re-use (or abuse) a token to call another contained resource directly
 
-To solve this problem [RFC 8707](https://tools.ietf.org/html/rfc8707) adds another request parameter for the authorize and token endpoint called `resource`. 
-This allows requesting a token for a specific resource (in other words - making sure the audience claim has a single 
+To solve this problem [RFC 8707](https://tools.ietf.org/html/rfc8707) adds another request parameter for the authorize and token endpoint called `resource`.
+This allows requesting a token for a specific resource (in other words - making sure the audience claim has a single
 value only, and all scopes belong to that single resource).
 
 ## Using The Resource Parameter
@@ -52,7 +52,8 @@ If the client would request a token for the `read` scope, the resulting access t
 the invoice and the products API and thus be accepted at both APIs.
 
 ### Machine to Machine Scenarios
-If the client in addition passes the `resource` parameter specifying the name of the resource where it wants to use 
+
+If the client in addition passes the `resource` parameter specifying the name of the resource where it wants to use
 the access token, the token engine can `down-scope` the resulting access token to the single resource, e.g.:
 
 ```text
@@ -70,13 +71,14 @@ Thus resulting in an access token like this (some details omitted):
 
 ```json
 {
-    "aud": [ "urn:invoice" ],
-    "scope": "read",
-    "client_id": "client"
+  "aud": ["urn:invoice"],
+  "scope": "read",
+  "client_id": "client"
 }
 ```
 
 ### Interactive Applications
+
 The authorize endpoint supports the `resource` parameter as well, e.g.:
 
 ```text
@@ -98,6 +100,7 @@ resource=urn:invoices
 ```
 
 ### Requesting Access To Multiple Resources
+
 It is also possible to request access to multiple resources. This will result in multiple access tokens - one for each request resource.
 
 ```text
@@ -135,7 +138,8 @@ resource=urn:products
 The end-result will be that the client has two access tokens - one for each resource and can manage their lifetime via the refresh token.
 
 ## Enforcing Resource Isolation
-All examples so far used the `resource` parameter optionally. If you have API resources, where you want to make sure 
+
+All examples so far used the `resource` parameter optionally. If you have API resources, where you want to make sure
 they are not sharing access tokens with other resources, you can enforce the resource indicator, e.g.:
 
 ```csharp title="ApiResources.cs" {6,12}
@@ -156,11 +160,11 @@ var resources = new[]
 ```
 
 The `RequireResourceIndicator` property **does not** mean that clients are forced to send the `resource` parameter when
-they request scopes associated with the API resource. You can still request those scopes without setting the `resource` 
-parameter (or including the resource), and IdentityServer will issue a token as long as the client is allowed to request 
+they request scopes associated with the API resource. You can still request those scopes without setting the `resource`
+parameter (or including the resource), and IdentityServer will issue a token as long as the client is allowed to request
 the scopes.
 
-Instead, `RequireResourceIndicator` controls **when** the resource's URI is included in the **audience claim** (`aud`) 
+Instead, `RequireResourceIndicator` controls **when** the resource's URI is included in the **audience claim** (`aud`)
 of the issued access token.
 
 * When `RequireResourceIndicator` is `false` (the default):
@@ -169,4 +173,3 @@ of the issued access token.
 * When `RequireResourceIndicator` is `true`:
   The API's resource URI will **only** be included in the audience **if the client explicitly includes the resource URI** 
   via the `resource` parameter when requesting the token.
-

src/content/docs/identityserver/overview/specs.md

@@ -13,6 +13,10 @@ redirect_from:
 
 Duende IdentityServer implements the following specifications:
 
+:::note
+Some specifications are only available in the [Duende IdentityServer Business or Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
+
 ## OpenID Connect
 
 * OpenID Connect Core 1.0 ([spec](https://openid.net/specs/openid-connect-core-1_0.html))

src/content/docs/identityserver/tokens/par.md

@@ -34,8 +34,11 @@ care, and in other industries with high security requirements.
 
 ## Licensing
 
-Duende.IdentityServer includes support for PAR in the Business Edition or higher license. In the starter edition, PAR
-requests will not be processed and instead log errors. If you have a starter edition license, you should disable the
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
+
+In the Starter edition, PAR requests will not be processed and instead log errors. If you have a starter edition license, you should disable the
 `EnablePushedAuthorizationEndpoint` flag so that discovery indicates that your IdentityServer does not support PAR:
 
 ```cs
@@ -72,12 +75,13 @@ builder.Services
     .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, oidcOptions =>
     {
         // Your authority, client ID, ... configuration goes here.
-        
-        // By default, PushedAuthorizationBehavior is set to PushedAuthorizationBehavior.UseIfAvailable. 
+
+        // By default, PushedAuthorizationBehavior is set to PushedAuthorizationBehavior.UseIfAvailable.
         // You can also require using PAR:
         oidcOptions.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Require;
     });
 ```
+
 .NET 8 does not have built-in support for PAR. If you're using .NET 8, we have a sample of how to implement this flow
 available [here](/identityserver/samples/basics.mdx#mvc-client-with-pushed-authorization-requests).