4.2k

All integrations
Duende
Identity providers

Cerbos authorization for Duende IdentityServer

Duende IdentityServer provides OpenID Connect and OAuth 2.0 for your .NET applications. Cerbos consumes the identity tokens Duende issues and evaluates fine-grained authorization policies, so access control logic stays out of your ASP.NET middleware and API controllers.

Claims-driven policies

Claims-driven policies

Map Duende IdentityServer claims, roles, and scopes directly to Cerbos principal attributes for fine-grained authorization

Beyond scopes

Beyond scopes

Move past OAuth 2.0 scope checks to policies that combine identity claims with resource ownership, time, and request context

Clean .NET integration

Clean .NET integration

Keep authorization logic in Cerbos policies instead of scattering [Authorize] attributes and custom middleware across your ASP.NET codebase

How Cerbos works with Duende IdentityServer

Duende IdentityServer handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Duende IdentityServer

  1. Users authenticate via Duende IdentityServer, Duende handles login, consent, and token issuance using OpenID Connect. Custom profile services or claim transformations can enrich tokens with roles, department, or tenant information.
  2. Extract claims from the Duende-issued token, Your .NET application validates the JWT or reference token and extracts the user's subject, roles, scopes, and any custom claims.
  3. Send identity and resource context to Cerbos, Pass the user's claims as principal attributes alongside the target resource and desired action to the Cerbos PDP.
  4. Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Duende identity data and resource attributes, returning allow or deny. Your application enforces the result.

FAQ

How does Cerbos use Duende IdentityServer tokens?

Duende IdentityServer issues OpenID Connect ID tokens and OAuth 2.0 access tokens containing claims such as roles, scopes, and custom profile data. Your application extracts these claims and passes them to Cerbos as principal attributes. Cerbos evaluates them against your policies alongside resource attributes and request context to produce an authorization decision.

Can I use Duende's client credentials flow with Cerbos?

Yes. For service-to-service communication, Duende IdentityServer issues client credentials tokens with scopes and custom claims. Cerbos treats the client identity the same as a user principal, so you can write policies that authorize machine-to-machine access based on client ID, granted scopes, or any custom claim in the token.

Does Cerbos replace Duende IdentityServer's built-in authorization?

No. Duende IdentityServer handles authentication, token issuance, and consent. Cerbos handles authorization. Duende's scope-based access control is coarse-grained by design. Cerbos adds resource-level and attribute-based policies on top without modifying your IdentityServer configuration.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers

Cerbos + Duende IdentityServer

  • Cerbos extends Duende IdentityServer roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines