DuendeSoftware
diff --git a/‎.weave/plans/is8-docs.md‎
Lines changed: 791 additions & 0 deletions b/‎.weave/plans/is8-docs.md‎
Lines changed: 791 additions & 0 deletions
diff --git a/‎astro/src/content/docs/bff/extensibility/index.md‎
Lines changed: 4 additions & 3 deletions b/‎astro/src/content/docs/bff/extensibility/index.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎astro/src/content/docs/bff/extensibility/user-endpoint-claims.md‎
Lines changed: 78 additions & 0 deletions b/‎astro/src/content/docs/bff/extensibility/user-endpoint-claims.md‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎astro/src/content/docs/identityserver/aspnet-identity/schemes.md‎
Lines changed: 58 additions & 1 deletion b/‎astro/src/content/docs/identityserver/aspnet-identity/schemes.md‎
Lines changed: 58 additions & 1 deletion
diff --git a/‎astro/src/content/docs/identityserver/diagnostics/conformance-report.md‎
Lines changed: 137 additions & 0 deletions b/‎astro/src/content/docs/identityserver/diagnostics/conformance-report.md‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎astro/src/content/docs/identityserver/diagnostics/index.md‎
Lines changed: 8 additions & 1 deletion b/‎astro/src/content/docs/identityserver/diagnostics/index.md‎
Lines changed: 8 additions & 1 deletion
@@ -14,6 +14,7 @@ redirect_from:
 
 Duende.BFF can be extended in the following areas
 
-* custom logic at the session management endpoints
-* custom logic and configuration for HTTP forwarding
-* custom data storage for server-side sessions and access/refresh tokens
+- custom logic at the session management endpoints
+- custom logic and configuration for HTTP forwarding
+- custom data storage for server-side sessions and access/refresh tokens
+- [enriching claims returned from the user endpoint](/bff/extensibility/user-endpoint-claims/) using `IUserEndpointClaimsEnricher` (added in v8.0)
@@ -0,0 +1,78 @@
+---
+title: "User Endpoint Claims Enrichment"
+description: Documentation for the IUserEndpointClaimsEnricher interface which allows enriching or replacing the claims returned from the BFF user endpoint.
+sidebar:
+  label: User Claims
+  order: 20
+  badge:
+    text: New
+    variant: tip
+---
+
+The `IUserEndpointClaimsEnricher` interface allows you to enrich or replace the claims returned from the
+[BFF user endpoint](/bff/apis/local/). This is useful when you need to add custom claims derived from
+external data sources, including data fetched using the user's access token.
+
+## Comparison with IClaimsTransformation
+
+ASP.NET Core's built-in `IClaimsTransformation` runs _during_ the authentication process, before a fully
+authenticated principal is available. This means you cannot use the access token at that point to call
+external APIs.
+
+`IUserEndpointClaimsEnricher` runs _after_ authentication is complete and gives you access to the full
+`AuthenticateResult`, including the access token. This makes it possible to call downstream APIs using
+`AccessTokenManagement` to fetch additional user data.
+
+## Interface
+
+```csharp
+namespace Duende.Bff.Endpoints;
+
+public interface IUserEndpointClaimsEnricher
+{
+    /// <summary>
+    /// Enrich the claims for the user endpoint. You can return the same claims,
+    /// a modified set of claims, or completely new claims.
+    /// </summary>
+    /// <param name="authenticateResult">The result from the authentication endpoint.</param>
+    /// <param name="claims">The current set of claims to be returned.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>The updated list of claims.</returns>
+    Task<IReadOnlyList<ClaimRecord>> EnrichClaimsAsync(
+        AuthenticateResult authenticateResult,
+        IReadOnlyList<ClaimRecord> claims,
+        CancellationToken ct = default);
+}
+```
+
+## Registration
+
+Register your implementation via the DI container:
+
+```csharp
+builder.Services.AddTransient<IUserEndpointClaimsEnricher, MyClaimsEnricher>();
+```
+
+## Example Implementation
+
+```csharp
+public class MyClaimsEnricher : IUserEndpointClaimsEnricher
+{
+    public async Task<IReadOnlyList<ClaimRecord>> EnrichClaimsAsync(
+        AuthenticateResult authenticateResult,
+        IReadOnlyList<ClaimRecord> claims,
+        CancellationToken ct = default)
+    {
+        var enriched = claims.ToList();
+
+        // Add a custom claim
+        enriched.Add(new ClaimRecord("custom_claim", "custom_value"));
+
+        // You can also access the access token from the AuthenticateResult
+        // to call downstream APIs for additional user data:
+        // var token = authenticateResult.Properties?.GetTokenValue("access_token");
+
+        return enriched;
+    }
+}
+```
@@ -16,6 +16,8 @@ When a user logs in, their identity is established and persisted across requests
 
 When using IdentityServer without ASP.NET Identity, the default cookie scheme is named `"idsrv"`, though we recommend using the constant `IdentityServerConstants.DefaultCookieAuthenticationScheme` in your code if you ever need it.
 
+Starting in **v8.0**, the default cookie name (not the scheme name) has changed to `"__Host-idsrv"` to improve security. The scheme name remains `"idsrv"`. See [Cookie Name Migration (v8.0)](#cookie-name-migration-v80) below for upgrade instructions.
+
 The default cookie scheme is configured by default in `AddIdentityServer()`, which sets up the cookie authentication handler with this scheme name. This cookie is essential for:
 
 - maintaining the user's authenticated session
@@ -39,7 +41,7 @@ services.ConfigureApplicationCookie(options =>
 {
     // The default ("Identity.Application")
     options.Cookie.Name = IdentityConstants.ApplicationScheme;
-    
+
     // Configure other options here...
     options.ExpireTimeSpan = TimeSpan.FromHours(1);
     options.SlidingExpiration = true;
@@ -57,6 +59,8 @@ This allows your login logic to read the claims from the external provider befor
 
 IdentityServer always uses the `"idsrv.external"` scheme here, available in the `IdentityServerConstants.ExternalCookieAuthenticationScheme` constant.
 
+Starting in **v8.0**, the default cookie _name_ for this scheme has changed to `"__Host-idsrv.external"` (previously `"idsrv.external"`). See [Cookie Name Migration (v8.0)](#cookie-name-migration-v80) below for upgrade instructions.
+
 ### Check Session Cookie
 
 IdentityServer session management requires a separate cookie to monitor the session state without sending the large authentication cookie.
@@ -66,6 +70,59 @@ The [User Session Service](/identityserver/reference/services/user-session-servi
 
 Note this cookie is not marked as `HttpOnly`, so it can be accessed in client-side code. The JavaScript code that is required to check user sessions in the background also requires access to this cookie, and needs it to be `HttpOnly`.
 
+## Cookie Name Migration (v8.0)
+
+In IdentityServer v8.0, the default cookie **names** changed to use the `__Host-` prefix:
+
+| Cookie               | Old name (v7.x)  | New name (v8.0)         |
+| -------------------- | ---------------- | ----------------------- |
+| Primary auth cookie  | `idsrv`          | `__Host-idsrv`          |
+| External auth cookie | `idsrv.external` | `__Host-idsrv.external` |
+
+Note: the authentication **scheme names** (`"idsrv"` and `"idsrv.external"`) are unchanged.
+
+### Why `__Host-`?
+
+The `__Host-` prefix is a browser security feature that restricts a cookie to:
+
+- HTTPS-only connections
+- `Path=/` (the entire site)
+- No `Domain` attribute (preventing subdomain sharing)
+
+This provides defense-in-depth against cookie theft and session fixation attacks.
+
+### Migrating Existing Sessions
+
+To avoid invalidating existing user sessions when upgrading, use the migration middleware to
+transparently accept both old and new cookie names. Add it to `Program.cs` **before**
+`UseIdentityServer()`, calling it once per cookie:
+
+```csharp
+// Program.cs — add BEFORE UseIdentityServer()
+app.MigrateIdentityServerCookieName("idsrv", "__Host-idsrv");
+app.MigrateIdentityServerCookieName("idsrv.external", "__Host-idsrv.external");
+app.UseIdentityServer();
+```
+
+When a user visits with an old cookie, the middleware transparently re-issues it under the new
+name. Once all active sessions have been re-issued, you can remove the middleware calls.
+
+### Configuring Cookie Names
+
+Override the default names using `AuthenticationOptions`:
+
+```csharp
+builder.Services.AddIdentityServer(options =>
+{
+    // Restore legacy names if needed (e.g., staged migration)
+    options.Authentication.CookieName = "idsrv";
+    options.Authentication.ExternalCookieName = "idsrv.external";
+});
+```
+
+See the [upgrade guide](/identityserver/upgrades/v7_4-to-v8_0/#cookie-names-changed-to-__host--prefix)
+for full migration instructions.
+
 ## Common Pitfalls
 
 - **Mixing Schemes:** Attempting to `SignOutAsync("idsrv")` when ASP.NET Identity is in use will have no effect on the actual `"Identity.Application"` cookie, leaving the user logged in. Always use the constants or the helper services (like `SignInManager`) that match your configuration.
 
@@ -0,0 +1,137 @@
+---
+title: "Conformance Report"
+sidebar:
+  label: Conformance Report
+  order: 50
+  badge:
+    text: v8.0
+    variant: tip
+---
+
+The conformance report assesses your IdentityServer deployment against
+[OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1) and
+[FAPI 2.0 Security Profile](https://openid.net/specs/fapi-2_0-security-profile.html) specifications,
+generating an HTML report accessible via a protected endpoint.
+
+## Installation
+
+Install the NuGet package:
+
+```bash
+dotnet add package Duende.IdentityServer.ConformanceReport
+```
+
+## Setup
+
+### 1. Register the Conformance Report
+
+Call `AddConformanceReport()` on the IdentityServer builder:
+
+```csharp
+builder.Services.AddIdentityServer()
+    .AddConformanceReport(options =>
+    {
+        options.Enabled = true;
+    });
+```
+
+### 2. Map the Endpoint
+
+Add the conformance report endpoint to your middleware pipeline:
+
+```csharp
+app.MapConformanceReport();
+```
+
+### 3. Access the Report
+
+Navigate to: `https://your-server/_duende/conformance-report`
+
+The endpoint requires an authenticated user by default (see [Authorization](#authorization) below).
+
+## Configuration Options
+
+`ConformanceReportOptions` controls the conformance report feature:
+
+| Property                        | Type                                  | Default                     | Description                                                      |
+| ------------------------------- | ------------------------------------- | --------------------------- | ---------------------------------------------------------------- |
+| `Enabled`                       | `bool`                                | `false`                     | Enable or disable the conformance report endpoint.               |
+| `EnableOAuth21Assessment`       | `bool`                                | `true`                      | Include OAuth 2.1 profile assessment in the report.              |
+| `EnableFapi2SecurityAssessment` | `bool`                                | `true`                      | Include FAPI 2.0 Security Profile assessment in the report.      |
+| `PathPrefix`                    | `string`                              | `"_duende"`                 | URL path prefix for the conformance endpoint (no leading slash). |
+| `ConfigureAuthorization`        | `Action<AuthorizationPolicyBuilder>?` | Requires authenticated user | Authorization policy for the HTML report endpoint.               |
+| `AuthorizationPolicyName`       | `string`                              | `"ConformanceReport"`       | ASP.NET Core authorization policy name used internally.          |
+| `HostCompanyName`               | `string?`                             | `null`                      | Optional company name shown in the report header.                |
+| `HostCompanyLogoUrl`            | `Uri?`                                | `null`                      | Optional company logo URL shown in the report header.            |
+
+## Authorization
+
+By default, the report endpoint requires an authenticated user. Customize the policy using
+`ConfigureAuthorization`:
+
+```csharp
+// Require a specific role
+options.ConfigureAuthorization = policy => policy.RequireRole("Admin");
+
+// Require multiple conditions
+options.ConfigureAuthorization = policy => policy
+    .RequireRole("Admin")
+    .RequireClaim("department", "IT");
+
+// Allow anonymous (development/testing only)
+options.ConfigureAuthorization = policy =>
+    policy.RequireAssertion(_ => builder.Environment.IsDevelopment());
+```
+
+:::caution
+If you set `ConfigureAuthorization = null`, you must manually register an ASP.NET Core authorization
+policy with the name specified in `AuthorizationPolicyName` (default: `"ConformanceReport"`).
+Otherwise, the endpoint will fail at runtime with a "policy not found" error.
+:::
+
+## Understanding the Report
+
+The HTML report displays:
+
+- **Server Configuration** — a matrix of server-level conformance rules and their status
+- **Client Configurations** — a matrix of per-client conformance rules and their status
+- **Rule Legend** — explanation of each rule identifier
+- **Notes** — detailed messages for warnings and failures
+
+### Status Indicators
+
+| Symbol  | Meaning                                                  |
+| ------- | -------------------------------------------------------- |
+| Pass    | Requirement is met                                       |
+| Fail    | Requirement is not met (configuration is non-conformant) |
+| Warning | Recommended practice is not followed                     |
+| N/A     | Rule is not applicable to this configuration             |
+
+## Requirements
+
+The conformance report uses `IClientStore.GetAllClientsAsync` to enumerate all clients for
+assessment. Custom `IClientStore` implementations must implement this method (added in v8.0).
+See the [upgrade guide](/identityserver/upgrades/v7_4-to-v8_0/#iclientstoregettallclientsasync-now-required)
+for details.
+
+## Full Example
+
+```csharp
+// Program.cs
+
+builder.Services.AddIdentityServer()
+    .AddInMemoryClients(Config.Clients)
+    .AddConformanceReport(options =>
+    {
+        options.Enabled = true;
+        options.EnableOAuth21Assessment = true;
+        options.EnableFapi2SecurityAssessment = true;
+        options.HostCompanyName = "Acme Corp";
+        options.ConfigureAuthorization = policy => policy.RequireRole("ComplianceTeam");
+    });
+
+// ...
+
+app.MapConformanceReport();
+app.UseIdentityServer();
+```
@@ -33,4 +33,11 @@ systems (APM). They used to have their own different APIs so IdentityServer only
 that could be used to call the APM's APIs. Thanks to OpenTelemetry there is now a standardized
 way to emit diagnostic information from a process. The events may eventually be deprecated and removed.
 
-[Read More](/identityserver/diagnostics/events.md)
+[Read More](/identityserver/diagnostics/events.md)
+
+## Conformance Report
+
+IdentityServer can generate a conformance report that assesses your configuration against OAuth 2.1
+and FAPI 2.0 specifications.
+
+[Read More](/identityserver/diagnostics/conformance-report/)