Back to Plugins

Duende Skills

Duende development skills and agents for Claude Code — covering OAuth/OIDC protocols, IdentityServer, token management, ASP.NET Core authentication/authorization, BFF patterns, and secure identity architecture

securityagent
By Duende Software
72Updated 2 weeks agoShellNOASSERTION

Installation

/plugin install duende-skills@claude-plugins-official

How to install

  1. Open Claude Code in your terminal
  2. Run the installation command above
  3. The plugin will be enabled automatically
  4. Use the plugin's features in your Claude Code sessions

README

View on GitHub

Duende Agent Skills

A set of agent skills and specialized agents for Duende IdentityServer, Backend-for-Frontend (BFF), and identity/access management development. Covers OAuth 2.0, OpenID Connect, Duende, token management, ASP.NET Core authentication and authorization, and related skills needed to build production-grade identity infrastructure.

Your Feedback 🗣️

We would love to hear your feedback about these skills! What's working? What's not? What's missing?

For questions, feedback, or community discussions, visit the Duende Community.

Installation

You can use several AI coding assistants that support skills/agents.

Claude Code (CLI)

Official Docs

Run these commands inside the Claude Code CLI:

/plugin marketplace add DuendeSoftware/duende-skills
/plugin install duende-skills

To update:

/plugin marketplace update

Recommended: Also install dotnet-skills for general .NET development coverage:

/plugin marketplace add Aaronontheweb/dotnet-skills
/plugin install dotnet-skills

GitHub Copilot

Official Docs

Clone or copy skills to your project or global config:

Project-level (recommended):

git clone https://github.com/DuendeSoftware/duende-skills.git /tmp/duende-skills
cp -r /tmp/duende-skills/skills/* .github/skills/

Global (all projects):

mkdir -p ~/.copilot/skills
cp -r /tmp/duende-skills/skills/* ~/.copilot/skills/

Recommended: Also install dotnet-skills for general .NET development coverage.

OpenCode

Official Docs

git clone https://github.com/DuendeSoftware/duende-skills.git /tmp/duende-skills

# Global installation (directory names must match frontmatter 'name' field)
mkdir -p ~/.config/opencode/skills ~/.config/opencode/agents
for skill_file in /tmp/duende-skills/skills/*/SKILL.md; do
  skill_dir=$(dirname "$skill_file")
  skill_name=$(grep -m1 "^name:" "$skill_file" | sed 's/name: *//')
  mkdir -p ~/.config/opencode/skills/$skill_name
  cp "$skill_file" ~/.config/opencode/skills/$skill_name/SKILL.md
  # Copy bundled resources (docs/, references/, etc.) if present
  find "$skill_dir" -mindepth 1 -maxdepth 1 -type d -exec cp -r {} ~/.config/opencode/skills/$skill_name/ \;
done
cp /tmp/duende-skills/agents/*.md ~/.config/opencode/agents/

Recommended: Also install dotnet-skills for general .NET development coverage.

Skills Library

Identity & OAuth

SkillDescription
aspnetcore-authenticationASP.NET Core authentication middleware — OIDC, JWT Bearer, cookies, schemes, external providers
aspnetcore-authorizationASP.NET Core authorization — policies, IAuthorizationHandler, scope-based API authz, minimal APIs
claims-authorizationClaims-based authorization — policies, requirement handlers, resource-based authz, claims transformation
duende-bffBackend-for-Frontend security framework for SPAs — session management, API proxying, token management
identity-security-hardeningSecurity hardening — key rotation, HTTPS, CORS, CSP, rate limiting, token lifetime tuning
identity-testing-patternsTesting IdentityServer integrations — WebApplicationFactory, mock token issuance, protocol validation
identityserver-api-protectionProtecting APIs — JWT bearer authentication, reference token introspection, scope-based authorization, DPoP/mTLS proof-of-possession, local API auth
identityserver-aspireAspire AppHost orchestration — dependency graphs, authority URL wiring, health checks, multi-instance
identityserver-configurationIdentityServer host configuration — clients, resources, scopes, signing credentials, server-side sessions, client types (M2M, interactive, SPA), grant types, API Scopes vs API Resources vs Identity Resources, and client authentication methods
identityserver-dcrDynamic Client Registration — endpoint setup, validation, software statements, client stores
identityserver-deploymentProduction deployment — reverse proxy configuration, data protection, health checks, distributed caching, OpenTelemetry, logging
identityserver-hosting-setupSetting up and hosting IdentityServer — DI registration, middleware pipeline, hosting patterns, license configuration, ASP.NET Identity integration
identityserver-key-managementCryptographic signing keys — automatic key management, data protection at rest, static key configuration, multi-instance deployment
identityserver-samlSAML 2.0 Identity Provider — service provider registration, SSO/SLO flows, claim mappings, extensibility, production stores
identityserver-sessions-providersServer-side sessions, session management/querying, inactivity timeout, dynamic identity providers, CIBA
identityserver-storesPersistent stores — EF Core configuration/operational stores, migrations, custom implementations
identityserver-token-lifecycleToken types, refresh token management, token exchange (RFC 8693), extension grants, IProfileService claims, lifetime best practices
identityserver-token-securityAdvanced token security — DPoP, mTLS certificate binding, Pushed Authorization Requests (PAR), JAR, FAPI 2.0 compliance
identityserver-ui-flowsLogin, logout, consent, error, and federation gateway UI pages — IIdentityServerInteractionService, external providers, Home Realm Discovery
identityserver-upgrade-v7-to-v8Upgrading from IdentityServer v7 to v8 — HybridCache, TimeProvider, CancellationToken, EF migrations, breaking changes
identityserver-usermanagementDuende User Management — passwordless auth (OTP, TOTP, passkeys), storage, IdentityServer integration, ASP.NET Identity migration
identityserver4-migrationMigrating from IdentityServer4 to Duende IdentityServer v8 — NuGet packages, namespaces, API changes, EF Core schema migrations, signing keys, license configuration
oauth-oidc-protocolsOAuth 2.0 and OpenID Connect fundamentals — flows, PKCE, discovery, JWKS, introspection
token-managementToken lifecycle with Duende.AccessTokenManagement — caching, refresh, DPoP, HttpClientFactory integration

Looking for general .NET skills? C# coding standards, concurrency patterns, EF Core, database performance, Aspire configuration, dependency injection, Playwright testing, snapshot testing, project structure, package management, and more are available in dotnet-skills.

Agents

AgentDescription
identity-server-specialistExpert in Duende IdentityServer configuration, deployment, and troubleshooting. Clients, token flows, stores, key rotation, protocol compliance.
oauth-oidc-specialistExpert in OAuth 2.0 and OpenID Connect specifications. RFC guidance, flow selection, protocol debugging, security analysis, FAPI compliance.

Skill Evaluation Benchmarks

Each skill is evaluated using 5–12 realistic prompts with concrete assertions. Every prompt is answered with the skill loaded and without it (baseline), then graded against the assertions. This measures the incremental value each skill provides over general LLM knowledge.

Run evals for all skills using GitHub Models (via gh CLI):

./scripts/run-evals.sh --iteration 3 --verbose

Results — June 1, 2026 (claude-opus-4-20250514)

227 evals across 24 skills — 1011 total assertions

With SkillWithout SkillDelta
Overall*1011/1011 (100%)

View source on GitHub

You might also like

Sonarqube
Plugins
Security Agent
Plugins
Engineering Skills
Plugins