Merge branch 'main' into mb/fix

maartenba · web-flow · commit 11a4228d78c1 · 2026-01-19T11:54:07.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -23,5 +23,7 @@ pnpm-debug.log*
 .vscode/settings.json
 *.iml
 
+# Agents and assistants
 .opencode/
-opencode.json
+opencode.json
+.idea/**/copilot.data.migration.*.xml
diff --git a/src/content/docs/identityserver/aspnet-identity/schemes.md b/src/content/docs/identityserver/aspnet-identity/schemes.md
@@ -62,7 +62,7 @@ IdentityServer always uses the `"idsrv.external"` scheme here, available in the
 IdentityServer session management requires a separate cookie to monitor the session state without sending the large authentication cookie.
 The [User Session Service](/identityserver/reference/services/user-session-service.md) manages this cookie.
 
-- **Default Name:** `"idsrv.session"` (Constant: `IdentityServerConstants.DefaultCheckSessionCookieName`). This often remains consistent, but verify your specific configuration.
+- **Default Name:** `"idsrv.session"` (Constant: `IdentityServerConstants.DefaultCheckSessionCookieName`).
 
 Note this cookie is not marked as `HttpOnly`, so it can be accessed in client-side code. The JavaScript code that is required to check user sessions in the background also requires access to this cookie, and needs it to be `HttpOnly`.
 
diff --git a/src/content/docs/identityserver/ui/logout/external-notification.md b/src/content/docs/identityserver/ui/logout/external-notification.md
@@ -20,7 +20,13 @@ clients that the user has signed out.
 This notification usually comes in the form of a request in an `<iframe>` from the external identity provider's "logged
 out" page.
 IdentityServer must then notify all of its clients (as discussed [here](/identityserver/ui/logout)), also typically in the form of a
-request in an `<iframe>` from within the external identity provider's `<iframe>`.
+request in an `<iframe>` (i.e. via Front-Channel Logout) from within the external identity provider's `<iframe>`.
+
+:::note
+To configure federated sign-out from an external identity provider, please refer to the documentation for your specific
+external identity provider. When using an OpenID Connect identity provider, this is typically configured using the
+front-channel logout URI.
+:::
 
 What makes federated sign-out a special case (when compared to a normal [logout](/identityserver/ui/logout)) is that the federated
 sign-out request is not to the normal sign-out endpoint in IdentityServer.
@@ -36,7 +42,7 @@ federated sign-out.
 
 Fortunately IdentityServer already contains this code.
 When requests come into IdentityServer and invoke the handlers for external authentication providers, IdentityServer
-detects if these are federated signout requests and if they are it will automatically render the same `<iframe>`
+detects if these are federated sign-out requests and if they are it will automatically render the same `<iframe>`
 as [described here for logout](/identityserver/ui/logout).
 
-In short, federated signout is automatically supported.
+In short, federated sign-out is automatically supported.
diff --git a/src/content/docs/identityserver/ui/server-side-sessions/inactivity-timeout.md b/src/content/docs/identityserver/ui/server-side-sessions/inactivity-timeout.md
@@ -37,13 +37,12 @@ These invocations can be used as the signal to the server-side session managemen
 In addition to refresh tokens, any client activity using an access token that originated from the user's session could also be used to extend the user's server-side session at IdentityServer.
 This would only work if IdentityServer were aware of this activity, but userinfo and introspection endpoint requests are examples of those types of activity.
 
-Internally IdentityServer provides a `ISessionCoordinationService` which is invoked from the endpoints describes above. 
-Its purpose is to then extend the lifetime of the server-side session. 
+Internally IdentityServer provides a `ISessionCoordinationService` which is invoked from the endpoints describes above.
+Its purpose is to then extend the lifetime of the server-side session.
 Below is a picture of the various types of requests to do this:
 
 ![diagram demonstrating how to extend a session using IdentityServer](images/extending_session.svg)
 
-
 ### User Inactivity Detection and Session Termination
 
 When the user becomes inactive, the server-side session management system at IdentityServer can detect and remove the abandoned session.
@@ -58,7 +57,6 @@ The obvious signal would be if the refresh token request failed, then that would
 
 Given this understanding, client applications can participate in this convention and IdentityServer can coordinate to achieve this system-wide "inactivity timeout" requirement.
 
-
 ## Configuration
 
 Configuration is needed in both IdentityServer and client applications.
@@ -71,7 +69,6 @@ To prepare IdentityServer, these features need to be enabled:
 2. Either the global [`CoordinateClientLifetimesWithUserSession` option](/identityserver/reference/options.md#authentication) should be enabled, or the client-specific [`CoordinateLifetimeWithUserSession` option](/identityserver/reference/models/client.md#authentication--session-management) should be enabled.
 3. Enable back-channel logout for [session expiration](/identityserver/ui/server-side-sessions/session-expiration.mdx) with the [`ExpiredSessionsTriggerBackchannelLogout` option](/identityserver/reference/options.md#server-side-sessions).
 
-
 ### Client Applications
 
 Depending on what protocol features the client is using, different approaches will need to be taken.
@@ -83,6 +80,7 @@ As the client uses the refresh token at IdentityServer, the user's session expir
 Be sure to configure the access token lifetime to be less than the server-side session lifetime at IdentityServer.
 
 To detect inactivity:
+
 * Either handle refresh token request failure, and consider the session ended.
 * Or implement back-channel logout.
 
@@ -91,7 +89,8 @@ To detect inactivity:
 It's possible a client is using a [reference access token](/identityserver/tokens/reference.md) and no refresh token.
 The API would then use introspection to validate the token, which would then extend the associated user's session at IdentityServer.
 
-To detect inactivity: 
+To detect inactivity:
+
 * Either handle 401 errors from the API, and then consider the session ended.
 * Or implement back-channel logout.
 
diff --git a/src/data/banner.json b/src/data/banner.json
@@ -1,3 +1,3 @@
 {
-  "content": "<strong>Livestream:</strong> Why now's a good time to upgrade to .NET 10 and Duende IdentityServer 7. <a href=\"https://duendesoftware.com/webinars/why-upgrade-dotnet-10-and-identityserver\">Register Now!</a>"
+  "content": "<strong>Livestream:</strong> Why now's a good time to upgrade to Duende IdentityServer and .NET 10. <a href=\"https://duendesoftware.com/webinars/why-upgrade-dotnet-10-and-identityserver\">Register Now!</a>"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`		`- "content": "<strong>Livestream:</strong> Why now's a good time to upgrade to .NET 10 and Duende IdentityServer 7. <a href=\"https://duendesoftware.com/webinars/why-upgrade-dotnet-10-and-identityserver\">Register Now!</a>"`
	`2`	`+ "content": "<strong>Livestream:</strong> Why now's a good time to upgrade to Duende IdentityServer and .NET 10. <a href=\"https://duendesoftware.com/webinars/why-upgrade-dotnet-10-and-identityserver\">Register Now!</a>"`
`3`	`3`	`}`