Merge pull request #1026 from DuendeSoftware/mb/fix

Fix broken and inconsistent documentation links in IdentityServer v8.0 upgrade guides and related reference docs.

Author: maartenba

astro/src/content/docs/identityserver/aspnet-identity/schemes.md

@@ -16,8 +16,6 @@ When a user logs in, their identity is established and persisted across requests
 
 When using IdentityServer without ASP.NET Identity, the default cookie scheme is named `"idsrv"`, though we recommend using the constant `IdentityServerConstants.DefaultCookieAuthenticationScheme` in your code if you ever need it.
 
-Starting in **v8.0**, the default cookie name (not the scheme name) has changed to `"__Host-idsrv"` to improve security. The scheme name remains `"idsrv"`. See [Cookie Name Migration (v8.0)](#cookie-name-migration-v80) below for upgrade instructions.
-
 The default cookie scheme is configured by default in `AddIdentityServer()`, which sets up the cookie authentication handler with this scheme name. This cookie is essential for:
 
 - maintaining the user's authenticated session
@@ -59,8 +57,6 @@ This allows your login logic to read the claims from the external provider befor
 
 IdentityServer always uses the `"idsrv.external"` scheme here, available in the `IdentityServerConstants.ExternalCookieAuthenticationScheme` constant.
 
-Starting in **v8.0**, the default cookie _name_ for this scheme has changed to `"__Host-idsrv.external"` (previously `"idsrv.external"`). See [Cookie Name Migration (v8.0)](#cookie-name-migration-v80) below for upgrade instructions.
-
 ### Check Session Cookie
 
 IdentityServer session management requires a separate cookie to monitor the session state without sending the large authentication cookie.
@@ -70,24 +66,6 @@ The [User Session Service](/identityserver/reference/services/user-session-servi
 
 Note this cookie is not marked as `HttpOnly`, so it can be accessed in client-side code. The JavaScript code that is required to check user sessions in the background also requires access to this cookie, and needs it to be `HttpOnly`.
 
-## Cookie Name Migration :badge[v8.0]
-
-In IdentityServer v8.0, the default cookie **names** changed to use the `__Host-` prefix for
-improved security. The `__Host-` prefix restricts cookies to HTTPS-only, `Path=/`, and no `Domain`
-attribute — providing defense-in-depth against cookie theft and session fixation attacks.
-
-| Cookie               | Old name (v7.x)  | New name (v8.0)         |
-| -------------------- | ---------------- | ----------------------- |
-| Primary auth cookie  | `idsrv`          | `__Host-idsrv`          |
-| External auth cookie | `idsrv.external` | `__Host-idsrv.external` |
-
-The authentication **scheme names** (`"idsrv"` and `"idsrv.external"`) are unchanged.
-
-A migration middleware is available to transparently re-issue old cookies under the new names,
-and the cookie names can be overridden via `AuthenticationOptions`. See the
-[upgrade guide](/identityserver/upgrades/v7_4-to-v8_0.md#cookie-names-changed-to-__host--prefix)
-for full migration instructions.
-
 ## Common Pitfalls
 
 - **Mixing Schemes:** Attempting to `SignOutAsync("idsrv")` when ASP.NET Identity is in use will have no effect on the actual `"Identity.Application"` cookie, leaving the user logged in. Always use the constants or the helper services (like `SignInManager`) that match your configuration.

astro/src/content/docs/identityserver/diagnostics/conformance-report.md

@@ -137,7 +137,7 @@ The HTML report displays:
 
 The conformance report uses `IClientStore.GetAllClientsAsync` to enumerate all clients for
 assessment. Custom `IClientStore` implementations must implement this method (added in v8.0).
-See the [upgrade guide](/identityserver/upgrades/v7_4-to-v8_0/#iclientstoregettallclientsasync-now-required)
+See the [upgrade guide](/identityserver/upgrades/v7_4-to-v8_0.md#iclientstoregetallclientsasync-now-required)
 for details.
 
 ## Full Example

astro/src/content/docs/identityserver/reference/options.md

@@ -283,6 +283,7 @@ Login/logout related settings. Available on the `Authentication` property of the
 
 - **`CookieAuthenticationScheme`**
   Sets the cookie authentication scheme configured by the host used for interactive users. If not set, the scheme will be inferred from the host's default authentication scheme. This setting is typically used when AddPolicyScheme is used in the host as the default scheme.
+
 - **`CookieLifetime`**
 
   The authentication cookie lifetime (only effective if the IdentityServer-provided cookie handler is used). Defaults to 10 hours.
@@ -295,14 +296,6 @@ Login/logout related settings. Available on the `Authentication` property of the
 
   Specifies the SameSite mode for the internal cookies. Defaults to None.
 
-- **`CookieName`** (added in `v8.0`)
-
-  Sets the name of the primary IdentityServer authentication cookie. Defaults to `"__Host-idsrv"`. The `__Host-` prefix enforces that the cookie is only sent over HTTPS, with `Path=/` and no `Domain` attribute. Set to `"idsrv"` to use the legacy cookie name when upgrading from a previous version.
-
-- **`ExternalCookieName`** (added in `v8.0`)
-
-  Sets the name of the external/temporary authentication cookie. Defaults to `"__Host-idsrv.external"`. The `__Host-` prefix enforces that the cookie is only sent over HTTPS, with `Path=/` and no `Domain` attribute. Set to `"idsrv.external"` to use the legacy cookie name when upgrading from a previous version.
-
 - **`RequireAuthenticatedUserForSignOutMessage`**
 
   Indicates if user must be authenticated to accept parameters to end session endpoint. Defaults to false.

astro/src/content/docs/identityserver/reference/stores/client-store.md

@@ -39,4 +39,4 @@ public interface IClientStore
 
 `GetAllClientsAsync` returns all configured clients as an async enumerable. <span data-shb-badge data-shb-badge-variant="default">Added in 8.0 (prerelease)</span>
 
-Used by the [conformance report](/identityserver/diagnostics/conformance-report/) and configuration validation features. Custom `IClientStore` implementations must implement this method — see the [upgrade guide](/identityserver/upgrades/v7_4-to-v8_0/#iclientstoregettallclientsasync-now-required) for details.
+Used by the [conformance report](/identityserver/diagnostics/conformance-report/) and configuration validation features. Custom `IClientStore` implementations must implement this method — see the [upgrade guide](/identityserver/upgrades/v7_4-to-v8_0.md#iclientstoregetallclientsasync-now-required) for details.

astro/src/content/docs/identityserver/upgrades/v7_4-to-v8_0.md

@@ -164,7 +164,7 @@ If you are not using the SAML 2.0 feature, no schema changes are required.
 #### Custom Store Implementations
 
 If your IdentityServer implementation uses a custom `IClientStore`, you must add the new
-`GetAllClientsAsync` method (see [Breaking Change 4f](#iclientstoregettallclientsasync-now-required)
+`GetAllClientsAsync` method (see [Breaking Change](#iclientstoregetallclientsasync-now-required)
 below).
 
 #### Duende.IdentityServer.EntityFramework
@@ -247,43 +247,6 @@ HTTP 303 (See Other) for redirects from POST endpoints, in compliance with
 No action is needed unless you explicitly set `UseHttp303Redirects = false` in a previous version.
 If so, remove that setting — the redirect behavior can no longer be changed.
 
-### Cookie Names Changed to `__Host-` Prefix
-
-The default cookie names have changed in v8.0:
-
-| Cookie               | Old name (v7.x)  | New name (v8.0)         |
-| -------------------- | ---------------- | ----------------------- |
-| Primary auth cookie  | `idsrv`          | `__Host-idsrv`          |
-| External auth cookie | `idsrv.external` | `__Host-idsrv.external` |
-
-The `__Host-` prefix is a browser security feature that restricts the cookie to HTTPS-only
-connections, forces `Path=/`, and disallows a `Domain` attribute.
-
-**Migrating existing sessions**: Use the migration middleware to transparently accept both old and
-new cookie names. Call it once per cookie, **before** `UseIdentityServer()`, in your `Program.cs`:
-
-```csharp
-// Program.cs — add BEFORE UseIdentityServer()
-app.MigrateIdentityServerCookieName("idsrv", "__Host-idsrv");
-app.MigrateIdentityServerCookieName("idsrv.external", "__Host-idsrv.external");
-app.UseIdentityServer();
-```
-
-This middleware is a transient migration aid. When a user visits with an old cookie, the middleware
-transparently re-issues it under the new name. Once all active sessions have been re-issued, you can
-remove the middleware calls.
-
-You can also override the defaults using the new `AuthenticationOptions` properties:
-
-```csharp
-// Program.cs
-builder.Services.AddIdentityServer(options =>
-{
-    options.Authentication.CookieName = "my-custom-cookie";
-    options.Authentication.ExternalCookieName = "my-custom-cookie.external";
-});
-```
-
 ### IClientStore.GetAllClientsAsync Now Required
 
 `IClientStore` now includes a second required method: