RFC 9700: Best Current Practice for OAuth 2.0 Security This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experience...

Finally! Grats!

datatracker.ietf.org/doc/rfc9700/

It would also be nice to visualize what does my license allow me to do. That can be in a self-service portal, or something like that.

I'd just say:
- Consider adding an OOTB license heath check. It'd be a nice compliment to the graceful behavior of the license validation. So, if the lincese isn't available in prod, then it's easier to notice for devs. Also consider bundling it with (docs.duendesoftware.com/identityserv...).

Thanks for reaching out @jmdc.dev!

I'm happy with the current license validation logic. It strikes a good balance between being graceful enough (prod won't stop working if the license expires) and being restrictive enough (advanced features won't work without a valid license in prod).

If you are running Duende Identity Server in prod, and you want to ensure you have a valid license and also potentially get notified early before the license expires, the checkout bit.ly/4g7CP10