Merge pull request #975 from DuendeSoftware/mb/standardize-editions

Document licensing details for Business and Enterprise Edition-specific features across IdentityServer docs.

Author: maartenba

src/content/docs/identityserver/configuration/dcr.mdx

@@ -76,9 +76,8 @@ create a new ASP.NET Core Web application which will host the Configuration API.
     ```
 
     :::note
-    The Configuration API feature is included in the Duende IdentityServer Business
-    edition license and higher. Use the same license key for IdentityServer and the
-    Configuration API.
+    This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+    Configure the same license key for IdentityServer and the Configuration API.
     :::
 
 4. **Add and configure the client configuration store**

src/content/docs/identityserver/configuration/index.md

@@ -18,10 +18,11 @@ The Configuration API is a collection of endpoints that allow for management and
 implementation. The Configuration API can be hosted either separately or within the IdentityServer implementation, and is
 distributed through the separate [Duende.IdentityServer.Configuration NuGet package](https://www.nuget.org/packages/Duende.IdentityServer.Configuration).
 
-Currently, the Configuration API supports the [Dynamic Client Registration](/identityserver/configuration/dcr.mdx) protocol. 
+Currently, the Configuration API supports the [Dynamic Client Registration](/identityserver/configuration/dcr.mdx) protocol.
 
-The Configuration API is part of the [Duende IdentityServer](https://duendesoftware.com/products/identityserver) Business Edition or higher. The same [license](https://duendesoftware.com/products/identityserver#pricing) 
-and [special offers](https://duendesoftware.com/specialoffers) apply.
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
 
 The Configuration API source code is available [on GitHub](https://github.com/DuendeSoftware/products/tree/main/identity-server/src/Configuration).
 

src/content/docs/identityserver/fundamentals/key-management.md

@@ -39,8 +39,9 @@ material, including
 * announcement of upcoming new keys
 * maintenance of retired keys
 
-Automatic Key Management is included in [IdentityServer](https://duendesoftware.com/products/identityserver) Business
-Edition or higher.
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
 
 ### Configuration
 
@@ -60,7 +61,7 @@ has passed, keys are removed from discovery, and optionally deleted.
 
 The default is to rotate keys every 90 days, announce new keys with 14 days of
 propagation time, retain old keys for a duration of 14 days, and to delete keys
-when they are retired. 
+when they are retired.
 
 ```mermaid
 ---
@@ -73,12 +74,12 @@ config:
 gantt
     title 90 Day Key Rotation Schedule per Signing Algorithm
     todayMarker off
-        
+
     section RS256
         Signing   :active, rsa_s, 2025-01-01, 76d
         Retire    :rsa_r, after rsa_s, 14d
         Delete    :crit, rsa_d, after rsa_r, 1d
-        
+
         Announce  :rsa_na,  2025-03-03, 14d
         Signing   :active, rsa_ns, after rsa_na, 62d
         Retire    :rsa_nr, after rsa_ns, 14d
@@ -100,13 +101,13 @@ All of these options are configurable in the `KeyManagement` options. For exampl
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{   
+{
     // new key every 30 days
     options.KeyManagement.RotationInterval = TimeSpan.FromDays(30);
-    
+
     // announce new key 2 days in advance in discovery
     options.KeyManagement.PropagationTime = TimeSpan.FromDays(2);
-    
+
     // keep old key for 7 days in discovery for validation of tokens
     options.KeyManagement.RetentionDuration = TimeSpan.FromDays(7);
 
@@ -139,7 +140,7 @@ access to the `KeyPath`.
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{   
+{
     // set path to store keys
     options.KeyManagement.KeyPath = "/home/shared/keys";
 });
@@ -169,7 +170,7 @@ an X.509 certificate. Automatic key management will create and rotate keys for
 each signing algorithm you specify.
 
 :::note
-*X.509 certificates* have an expiration date, but IdentityServer does
+_X.509 certificates_ have an expiration date, but IdentityServer does
 not use this data to validate the certificate and throw an exception. If a certificate has expired then you
 must decide whether to continue using it or replace it with a new certificate.
 :::
@@ -179,10 +180,10 @@ options.KeyManagement.SigningAlgorithms = new[]
 {
     // RS256 for older clients (with additional X.509 wrapping)
     new SigningAlgorithmOptions(SecurityAlgorithms.RsaSha256) { UseX509Certificate = true },
-    
+
     // PS256
     new SigningAlgorithmOptions(SecurityAlgorithms.RsaSsaPssSha256),
-    
+
     // ES256
     new SigningAlgorithmOptions(SecurityAlgorithms.EcdsaSha256)
 };
@@ -200,7 +201,7 @@ resource and client basis.
 Instead of using [Automatic Key Management](#automatic-key-management), IdentityServer's signing keys can be set
 manually. Automatic Key Management is generally recommended, but if you want to
 explicitly control your keys statically, or you have a license that does not
-include the feature (e.g. the Starter Edition), you will need to manually manage
+include the feature, you will need to manually manage
 your keys. With static configuration you are responsible for secure storage,
 loading and rotation of keys.
 
@@ -378,7 +379,7 @@ key as a validation key.
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = false;
 });
 
@@ -406,7 +407,7 @@ the signing credential and validation key.
 ```cs
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = false;
 });
 
@@ -428,7 +429,7 @@ old key, it is safe to completely remove the old key.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = false;
 });
 
@@ -473,7 +474,7 @@ key. IdentityServer will continue to sign keys with your old static key.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = true;
 });
 
@@ -491,7 +492,7 @@ keep the old key for validation purposes.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = true;
 });
 
@@ -508,7 +509,7 @@ Now the static key configuration can be removed entirely.
 
 ```cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
-{  
+{
     options.KeyManagement.Enabled = true;
 });
 ```

src/content/docs/identityserver/fundamentals/resources/isolation.md

@@ -11,7 +11,7 @@ redirect_from:
 ---
 
 :::note
-This is an Enterprise Edition feature.
+This feature is part of the [Duende IdentityServer Enterprise Edition](https://duendesoftware.com/products/identityserver).
 :::
 
 OAuth itself only knows about scopes - the (API) resource concept does not exist from a pure protocol point of view.

src/content/docs/identityserver/overview/specs.md

@@ -13,6 +13,10 @@ redirect_from:
 
 Duende IdentityServer implements the following specifications:
 
+:::note
+Some specifications are only available in the [Duende IdentityServer Business or Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
+
 ## OpenID Connect
 
 * OpenID Connect Core 1.0 ([spec](https://openid.net/specs/openid-connect-core-1_0.html))

src/content/docs/identityserver/tokens/par.md

@@ -34,8 +34,11 @@ care, and in other industries with high security requirements.
 
 ## Licensing
 
-Duende.IdentityServer includes support for PAR in the Business Edition or higher license. In the starter edition, PAR
-requests will not be processed and instead log errors. If you have a starter edition license, you should disable the
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
+
+In the Starter edition, PAR requests will not be processed and instead log errors. If you have a starter edition license, you should disable the
 `EnablePushedAuthorizationEndpoint` flag so that discovery indicates that your IdentityServer does not support PAR:
 
 ```cs
@@ -72,12 +75,13 @@ builder.Services
     .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, oidcOptions =>
     {
         // Your authority, client ID, ... configuration goes here.
-        
-        // By default, PushedAuthorizationBehavior is set to PushedAuthorizationBehavior.UseIfAvailable. 
+
+        // By default, PushedAuthorizationBehavior is set to PushedAuthorizationBehavior.UseIfAvailable.
         // You can also require using PAR:
         oidcOptions.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Require;
     });
 ```
+
 .NET 8 does not have built-in support for PAR. If you're using .NET 8, we have a sample of how to implement this flow
 available [here](/identityserver/samples/basics.mdx#mvc-client-with-pushed-authorization-requests).
 

src/content/docs/identityserver/tokens/pop.md

@@ -20,7 +20,7 @@ redirect_from:
 
 By default, OAuth access tokens are so-called `bearer` tokens. This means they are not bound to a client and anybody who possesses the token can use it. The security concern here is that a leaked token could be used by a (malicious) third party to impersonate the client and/or user.
 
-On the other hand, `Proof-of-Possession` (PoP) tokens are bound to the client that requested the token. This is also often called sender constraining. This is done by using cryptography to prove that the sender of the token knows an additional secret only known to the client. 
+On the other hand, `Proof-of-Possession` (PoP) tokens are bound to the client that requested the token. This is also often called sender constraining. This is done by using cryptography to prove that the sender of the token knows an additional secret only known to the client.
 
 This proof is called the *confirmation method* and is expressed via the standard [`cnf` claim](https://tools.ietf.org/html/rfc7800),e.g.:
 
@@ -45,13 +45,14 @@ When using reference tokens, the cnf claim will be returned from the introspecti
 IdentityServer supports two styles of proof of possession tokens: **Mutual TLS** and **DPoP**.
 
 ## Mutual TLS
+
 [RFC 8705](https://tools.ietf.org/html/rfc8705) specifies how to bind a TLS client certificate to an access token. With this method your IdentityServer will embed the SHA-256 thumbprint of the X.509 client certificate into the access token via the cnf claim, e.g.:
 
 ```json
 {
   // rest omitted
-  
-  "cnf": { "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } 
+
+  "cnf": { "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" }
 }
 ```
 
@@ -68,6 +69,7 @@ It is not mandatory to authenticate your clients with a client certificate to ge
 In this scenario, the client would create an X.509 certificate on the fly, and use that to establish the TLS channel to your IdentityServer. As long as the certificate is accepted by your web server, your IdentityServer can embed the `cnf` claim, and your APIs can validate it.
 
 #### .NET Client
+
 In .NET it is straight-forward to create an X.509 certificate on the fly and use it to open a TLS connection.
 
 ```csharp
@@ -81,19 +83,19 @@ static X509Certificate2 CreateClientCertificate(string name)
 
         request.CertificateExtensions.Add(
             new X509KeyUsageExtension(
-                X509KeyUsageFlags.DataEncipherment | 
-                X509KeyUsageFlags.KeyEncipherment | 
+                X509KeyUsageFlags.DataEncipherment |
+                X509KeyUsageFlags.KeyEncipherment |
                 X509KeyUsageFlags.DigitalSignature , false));
 
         request.CertificateExtensions.Add(
             new X509EnhancedKeyUsageExtension(
-                new OidCollection 
-                { 
-                    new Oid("1.3.6.1.5.5.7.3.2") 
+                new OidCollection
+                {
+                    new Oid("1.3.6.1.5.5.7.3.2")
                 }, false));
 
         return request.CreateSelfSigned(
-            new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), 
+            new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
             new DateTimeOffset(DateTime.UtcNow.AddDays(10)));
     }
 }
@@ -112,10 +114,10 @@ static async Task<TokenResponse> RequestTokenAsync()
     var response = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
     {
         Address = disco.MtlsEndpointAliases.TokenEndpoint,
-        
+
         // The default ClientCredentialStyle value is ClientCredentialStyle.AuthorizationHeader, which does not work in a Mutual TLS scenario
         ClientCredentialStyle = ClientCredentialStyle.PostBody,
-        
+
         ClientId = "client",
         Scope = "api1"
     });
@@ -134,14 +136,15 @@ static SocketsHttpHandler GetHandler(X509Certificate2 certificate)
 ```
 
 #### Enabling Support In IdentityServer
+
 The last step is to enable that feature in the options:
 
 ```csharp
 // Program.cs
 var idsvrBuilder = builder.Services.AddIdentityServer(options =>
 {
     // other settings
-    
+
     options.MutualTls.AlwaysEmitConfirmationClaim = true;
 });
 ```
@@ -151,8 +154,13 @@ var idsvrBuilder = builder.Services.AddIdentityServer(options =>
 **Version:** <span data-shb-badge data-shb-badge-variant="default">&gt;=6.3</span>
 
 [DPoP](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) is a security measure that addresses token replay
-attacks by making it difficult for attackers to use stolen tokens. Support for DPoP is included
-in [IdentityServer](https://duendesoftware.com/products/identityserver) Enterprise Edition. DPoP specifies how to bind
+attacks by making it difficult for attackers to use stolen tokens.
+
+:::note
+This feature is part of the [Duende IdentityServer Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
+
+DPoP specifies how to bind
 an asymmetric key stored within a JSON Web Key (JWK) to an access token. With this enabled your IdentityServer will
 embed the thumbprint of the public key JWK into the access token via the cnf claim, e.g.:
 
@@ -229,7 +237,7 @@ builder.Services.AddAuthentication(...)
     .AddCookie("cookie", ...)
     .AddOpenIdConnect("oidc", ...);
 
-builder.Services.AddOpenIdConnectAccessTokenManagement(options => 
+builder.Services.AddOpenIdConnectAccessTokenManagement(options =>
 {
     options.DPoPJsonWebKey = "...";
 });
@@ -255,4 +263,4 @@ lost, the tokens can longer be used, and if the secret is leaked, the security b
 #### Enabling DPoP Support In Your API
 
 See [here](/identityserver/apis/aspnetcore/confirmation.md#validating-dpop) for documentation
-describing how to enable DPoP in your APIs.
+describing how to enable DPoP in your APIs.

src/content/docs/identityserver/troubleshooting/index.mdx

@@ -304,9 +304,13 @@ When dealing with external authentication, you may want to implement `OnTicketRe
 
 ### Use Server-side Sessions
 
-If you have a Business Edition or higher license for IdentityServer, then you can use [server-side sessions][2] to store the
+You can use [server-side sessions][2] to store the
 user's session data in a data store instead of in the cookie. This will greatly reduce the size of the cookie while allowing you to store more data in the session.
 
+:::note
+This feature is part of the [Duende IdentityServer Business and Enterprise Edition](https://duendesoftware.com/products/identityserver).
+:::
+
 ### Implement a Custom `ITicketStore` to Reduce Cookie Size
 
 When configuring the cookie authentication handler, you can provide a custom `ITicketStore` implementation to store the