3.1.0

dependabot · 2024-08-22T13:35:39Z

Release notes

Sourced from Microsoft.Identity.Web's releases.

3.1.0

Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #2977 for details.

Bug fixes:

For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #2887 for details.

Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #2954 for details.

Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #2879 for details.

Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #2962 for details.

Fundamentals:

Fix flakey tests: #2972, #2984, #2982,

Update to AzureKeyVault@2 in AzureDevOps, #2981.

Update to .NET 9-preview7, #2980 and #2991.

It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #2974, #2990

What's Changed

Add X5C to MSAuth POP by @bgavrilMS in AzureAD/microsoft-identity-web#2950

Update CSPROJ with README by @localden in AzureAD/microsoft-identity-web#2956

Fix Instance/Tenant Parsing for V2 Authority by @jackj-msft in AzureAD/microsoft-identity-web#2954

Check that regex succeeded and value is an integer. by @brentschmaltz in AzureAD/microsoft-identity-web#2958

Set upper bound on Abstractions by @westin-m in AzureAD/microsoft-identity-web#2962

Removing 2.x versions post 3.0.0-preview1 by @JoshLozensky in AzureAD/microsoft-identity-web#2967

Fix test instability by @keegan-caruso in AzureAD/microsoft-identity-web#2971

Fix AT POP tests by @keegan-caruso in AzureAD/microsoft-identity-web#2972

Update to net 9 preview 7 by @westin-m in AzureAD/microsoft-identity-web#2980

Updating AzureKeyVault task to version 2 by @JoshLozensky in AzureAD/microsoft-identity-web#2981

[test] updates for one build by @jennyf19 in AzureAD/microsoft-identity-web#2974

Disable ciam test by @keegan-caruso in AzureAD/microsoft-identity-web#2983

Ensure that SimulateOidc is built before IntegrationTests (that use it) by @jmprieur in AzureAD/microsoft-identity-web#2984

skip more CIAM E2E tests by @jennyf19 in AzureAD/microsoft-identity-web#2985

remove grpc in E2E test by @jennyf19 in AzureAD/microsoft-identity-web#2986

Jennyf/fix slice by @jennyf19 in AzureAD/microsoft-identity-web#2988

reenable other ciam test by @jennyf19 in AzureAD/microsoft-identity-web#2989

Jennyf/client sem ver by @jennyf19 in AzureAD/microsoft-identity-web#2990

Fix Id Web Build by @FuPingFranco in AzureAD/microsoft-identity-web#2991

Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors and AppContextSwitches for fallback by @pmaytak in AzureAD/microsoft-identity-web#2977

New Contributors

@localden made their first contribution in AzureAD/microsoft-identity-web#2956

@jackj-msft made their first contribution in AzureAD/microsoft-identity-web#2954

Full Changelog: AzureAD/microsoft-identity-web@3.0.1...3.1.0

3.0.1

Updated to Microsoft.IdentityModel.* 8.0.1

... (truncated)

Changelog

Sourced from Microsoft.Identity.Web's changelog.

3.1.0

Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #2977 for details.

Bug fixes:

For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #2887 for details.

Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #2954 for details.

Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #2879 for details.

Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #2962 for details.

Fundamentals:

Fix flakey tests: #2972, #2984, #2982,

Update to AzureKeyVault@2 in AzureDevOps, #2981.

Update to .NET 9-preview7, #2980 and #2991.

It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #2974, #2990

========

See rel/v2 branch changelog for changes to all 2.x.x versions after 2.18.1.

The changes listed in the rel/v2 changelog are also in the 3.x.x versions of Id Web but are not listed here.

========

3.0.1

Updated to Microsoft.IdentityModel.* 8.0.1

3.0.0

CVE package updates

CVE-2024-30105

See PR #2929 for details.

Updated to Microsoft.IdentityModel.* 8.0.0, Microsoft.Identity.Lab API 1.0.2, Microsoft.Identity.Abstractions 6.0.0

See rel/v2 changelog for full list of added features to 3.0.0.

Fundamentals:

Update lab cert and lab version. See PR #2923 for details.

3.0.0-preview3

Updated to Microsoft.IdentityModel.* 8.0.0-preview3

3.0.0-preview2

... (truncated)

Commits

63bc10e Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors and AppC...
fcd715e Fix Id Web build (#2991)
23f6d94 Jennyf/client sem ver (#2990)
287c8e6 reenable other ciam test (#2989)
7889d56 Jennyf/fix slice (#2988)
60b96dc remove grpc in E2E test (#2986)
86700d7 skip more CIAM E2E tests (#2985)
cbd131d Ensure that SimulateOidc is built before IntegrationTests (that use it) (#2984)
17f0078 Disable ciam test (#2983)
fc42cec [test] updates for one build (#2974)
Additional commits viewable in compare view

Updates Microsoft.Extensions.Logging.Abstractions from 2.1.0 to 8.0.0

Release notes

Sourced from Microsoft.Extensions.Logging.Abstractions's releases.

.NET 8.0.0

Release

What's Changed

[release/8.0-rc1] [release/8.0] Events for IL methods without IL headers by @github-actions in dotnet/runtime#92317

[release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/runtime#92340

[release/8.0-rc1] [release/8.0] Fix wasi build. by @github-actions in dotnet/runtime#92368

[automated] Merge branch 'release/8.0-rc2' => 'release/8.0' by @dotnet-maestro-bot in dotnet/runtime#92325

[release/8.0] Update dependencies from dotnet/roslyn by @dotnet-maestro in dotnet/runtime#92303

[automated] Merge branch 'release/8.0-rc1' => 'release/8.0' by @dotnet-maestro-bot in dotnet/runtime#92374

[release/8.0] Bump version to GA by @carlossanlop in dotnet/runtime#92305

[release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/runtime#92476

[automated] Merge branch 'release/8.0-rc2' => 'release/8.0' by @dotnet-maestro-bot in dotnet/runtime#92401

[release/8.0] Update dependencies from dotnet/roslyn by @dotnet-maestro in dotnet/runtime#92418

[release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/runtime#92474

[release/8.0] Update dependencies from dnceng/internal/dotnet-optimization by @dotnet-maestro in dotnet/runtime#92473

[release/8.0] Update dependencies from dotnet/roslyn by @dotnet-maestro in dotnet/runtime#92488

[automated] Merge branch 'release/8.0-rc2' => 'release/8.0' by @dotnet-maestro-bot in dotnet/runtime#92484

[release/8.0] Update dependencies from dotnet/roslyn-analyzers by @dotnet-maestro in dotnet/runtime#92499

[release/8.0] Update dependencies from dotnet/emsdk by @dotnet-maestro in dotnet/runtime#92532

[automated] Merge branch 'release/8.0-rc2' => 'release/8.0' by @dotnet-maestro-bot in dotnet/runtime#92515

[release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/runtime#92641

[release/8.0] Update dependencies from dotnet/emsdk dotnet/hotreload-utils by @dotnet-maestro in dotnet/runtime#92606

[release/8.0][wasm] Fix regressed file sizes for blazor by @radical in dotnet/runtime#92627

[release/8.0] JIT: Fixed containment of STOREIND of HW intrinsics ConvertTo*/Extract* by @github-actions in dotnet/runtime#92513

[release/8.0] Define bool as Interop.BOOL to prevent upper bytes setting native bool by @github-actions in dotnet/runtime#92681

[release/8.0] Make CoreCLR/NativeAOT assembly compile with .subsections_via_symbols on Apple platforms by @github-actions in dotnet/runtime#92544

[release/8.0] Fix LLVMAOT Mono runtime variant official build to produce correctly named runtime packs by @github-actions in dotnet/runtime#92737

[release/8.0] Remove all PGO assets except for the runtime PGO archive. by @github-actions in dotnet/runtime#92735

[release/8.0] Put HasNativeCodeReJITAware into GetFunctionAddress by @github-actions in dotnet/runtime#92665

[release/8.0] Update dependencies from dotnet/cecil dotnet/emsdk by @dotnet-maestro in dotnet/runtime#92702

[release/8.0][wasm] Fix Wasm.Build.Tests failing due to an old skiasharp reference by @radical in dotnet/runtime#92747

[release/8.0] Update dependencies from dotnet/installer by @radical in dotnet/runtime#92745

[release/8.0] Bring back CopyOutputSymbolsToPublishDirectory by @github-actions in dotnet/runtime#92369

[release/8.0] Update dependencies from dotnet/installer by @radical in dotnet/runtime#92795

[release/8.0] Update dependencies from dnceng/internal/dotnet-optimization by @dotnet-maestro in dotnet/runtime#92762

[release/8.0] Update dependencies from dnceng/internal/dotnet-optimization by @dotnet-maestro in dotnet/runtime#92816

[release/8.0][wasm][debugger] Support multidimensional indexing of object scheme by @ilonatommy in dotnet/runtime#92753

[release/8.0] [browser] Remove duplicated marshaling of return value for JSExport by @github-actions in dotnet/runtime#92886

[release/8.0] [browser][nodejs] keep runtime alive for JSExport calls by @github-actions in dotnet/runtime#92890

[release/8.0] Update dependencies from dotnet/roslyn by @dotnet-maestro in dotnet/runtime#92503

[release/8.0] Make config binding gen incremental (#89587) by @layomia in dotnet/runtime#92730

[release/8.0] [wasm] Endian fix for Webcil by @github-actions in dotnet/runtime#92495

[release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/runtime#92935

[release/8.0] Update dependencies from dotnet/cecil dotnet/hotreload-utils by @dotnet-maestro in dotnet/runtime#92932

[release/8.0][wasm] Use intended ports when running DevServer by @radical in dotnet/runtime#92906

[release/8.0] Fix deadlock in EventPipeEventDispatcher by @github-actions in dotnet/runtime#92912

[release/8.0] CI: runtime-wasm-perf: disable for PRs by @radical in dotnet/runtime#92977

[release/8.0] Throw when applying JsonObjectHandling.Populate to types with parameterized constructors. by @github-actions in dotnet/runtime#92947

[release/8.0] Use invariant culture in CBOR date encoding by @github-actions in dotnet/runtime#92924

... (truncated)

Commits

See full diff in compare view

Updates Microsoft.Identity.Client from 4.46.0 to 4.61.3

Release notes

Sourced from Microsoft.Identity.Client's releases.

4.61.3

Bug Fixes

Exclude the use of WSTrust for ROPC flow except for AAD authorities. See [Issue #4791](AzureAD/microsoft-authentication-library-for-dotnet#4791)

4.61.2

Bug Fixes

Fixed a regression in MSAL 4.61.1 where Proof of Possession (POP) extensibility API was made available for all the confidential client scenarios caused runtime exception for users using higher level SDKs with explicit dependency on MSAL. See 4789

Measurement of duration in milliseconds is now consistent across all platforms. See 4784

4.61.1

New Features

Enabled Proof of Possession (POP) extensibility API for all confidential client requests, enhancing security measures for confidential clients. See 4757

Introduced a public API that identifies and returns the current Azure environment for Managed Identity. See 4751

Deprecated the WithClientAssertion(string) method. Developers are encouraged to use the overload with Func instead, which ensures the return of a non-expired assertion, potentially including a Federated Credential. See 4775

Adding support for Non-GUID Client IDs with AuthorityType.Generic See #4686

Bug Fixes

Improved logic to handle ADFS tokens that include a manually added tid claim, preventing exceptions. See 4608

Improved build-time validation to ensure that applications using the WithBroker(true) method will fail at build time if the application targets net6-windows and uses an old broker API. This change prevents runtime failures and facilitates early detection of issues. See 4768

Fixed token acquisition failure in broker based flow when authority is common. See 4696

4.61.0

New Features

Removed support for deprecated frameworks, Xamarin.Android 12 and Xamarin.iOS 10. MSAL.NET packages will no longer include monoandroid12.0 and xamarinios10 binaries. Existing applications should migrate to modern frameworks like .NET MAUI. See 4715 and Announcing the Upcoming Deprecation of MSAL.NET for Xamarin and UWP.

Removed support for UWP. MSAL.NET packages will no longer include uap10.0.17763 binary. Existing applications should migrate to modern frameworks like WinUI 3. See 4717 and Announcing the Upcoming Deprecation of MSAL.NET for Xamarin and UWP.

Removed Windows Forms dependency from Microsoft.Identity.Client, which will no longer include net6.0-windows7.0 binary. Existing desktop applications targeting net6.0-windows should reference Microsoft.Identity.Client.Broker when using interactive authentication with Windows Broker and call WithBroker(BrokerOptions); or reference Microsoft.Identity.Client.Desktop when authenticating with browser and call WithWindowsEmbeddedBrowserSupport(). There are no changes to the usage of the system browser. See 4468.

Re-enabled the use of SHA 256 and PSS padding to create client assertions. See 4695.

Bug Fixes

Public methods in Kerberos TicketCacheWriter and TicketCacheReader were corrected to be internal. Public API in KerberosSupplementalTicketManager should be used. See #4726.

4.60.3

Bug Fixes

Updated Android webview attribute.

4.60.2

Bug Fixes

When OnBeforeTokenRequest extensibility API is used, MSAL now correctly uses the user-provided OnBeforeTokenRequestData.RequestUri to set the token request endpoint. See 4701.

4.60.1

Addressed an issue where attempts to acquire a token via certificate authentication resulted in a Microsoft.Identity.Client.MsalServiceException (Error code: AADSTS5002730), signaling an "Invalid JWT token. Unsupported key for the signing algorithm." This was due to a known bug in Microsoft Entra ID (Azure AD) that affects the handling of JWT tokens signed with certain algorithms, specifically SHA2 and PSS. See 4690

4.60.0

New Features

AAD client assertions are computed using SHA 256 and PSS padding. See 4428

CorrelationId is available in MsalException. See 4187

Open telemetry records telemetry for proactive token refresh background process. See 4492

MSAL.Net now supports generic authorities with query parameters. See 4631

... (truncated)

Changelog

Sourced from Microsoft.Identity.Client's changelog.

4.61.3

Bug Fixes

Exclude the use of WSTrust for ROPC flow except for AAD authorities. See [Issue #4791](AzureAD/microsoft-authentication-library-for-dotnet#4791)

4.61.2

Bug Fixes

Fixed a regression in MSAL 4.61.1 where the Proof of Possession (POP) extensibility API, when made available for all confidential client scenarios, caused a runtime exception for users of higher-level SDKs that have an explicit dependency on MSAL. See [Issue #4789](AzureAD/microsoft-authentication-library-for-dotnet#4789).

Ensured that the measurement of duration in milliseconds is now consistent across all platforms. See [Issue #4784](AzureAD/microsoft-authentication-library-for-dotnet#4784).

4.61.1

New Features

Enabled Proof of Possession (POP) extensibility API for all confidential client requests, enhancing security measures for confidential clients. See 4757

Introduced a public API that identifies and returns the current Azure environment for Managed Identity. See 4751

Deprecated the WithClientAssertion(string) method. Developers are encouraged to use the overload with Func instead, which ensures the return of a non-expired assertion, potentially including a Federated Credential. See 4775

Adding support for Non-GUID Client IDs with AuthorityType.Generic See #4686

Bug Fixes

Improved logic to handle ADFS tokens that include a manually added tid claim, preventing exceptions. See 4608

Improved build-time validation to ensure that applications using the WithBroker(true) method will fail at build time if the application targets net6-windows and uses an old broker API. This change prevents runtime failures and facilitates early detection of issues. See 4768

Fixed token acquisition failure in broker based flow when authority is common. See 4696

4.61.0

New Features

Removed support for deprecated frameworks, Xamarin.Android 12 and Xamarin.iOS 10. MSAL.NET packages will no longer include monoandroid12.0 and xamarinios10 binaries. Existing applications should migrate to modern frameworks like .NET MAUI. See 4715 and Announcing the Upcoming Deprecation of MSAL.NET for Xamarin and UWP.

Removed support for UWP. MSAL.NET packages will no longer include uap10.0.17763 binary. Existing applications should migrate to modern frameworks like WinUI 3. See 4717 and Announcing the Upcoming Deprecation of MSAL.NET for Xamarin and UWP.

Removed Windows Forms dependency from Microsoft.Identity.Client, which will no longer include net6.0-windows7.0 binary. Existing desktop applications targeting net6.0-windows should reference Microsoft.Identity.Client.Broker when using interactive authentication with Windows Broker and call WithBroker(BrokerOptions); or reference Microsoft.Identity.Client.Desktop when authenticating with browser and call WithWindowsEmbeddedBrowserSupport(). There are no changes to the usage of the system browser. See 4468.

Re-enabled the use of SHA 256 and PSS padding to create client assertions. See 4695.

Bug Fixes

Public methods in Kerberos TicketCacheWriter and TicketCacheReader were corrected to be internal. Public API in KerberosSupplementalTicketManager should be used. See #4726.

4.60.3

Bug Fixes

Updated Android webview attribute.

4.60.2

Bug Fixes

When OnBeforeTokenRequest extensibility API is used, MSAL now correctly uses the user-provided OnBeforeTokenRequestData.RequestUri to set the token request endpoint. See 4701.

4.60.1

Bug Fixes

Resolved an issue where MSAL attempts to acquire a token via certificate authentication using SHA2 and PSS resulting in a `MsalServiceException' (Error code: AADSTS5002730). See 4690.

... (truncated)

Commits

08675d0 Update CHANGELOG.md (#4800)
88df640 Fix for #4791 - don't use WSTrust for ROPC except for AAD authorities (#4794)
3f5f9df Update
8a6fe48 Update AzureArcManagedIdentitySource.cs
61a89f7 Update ext
fddb2c4 Update as discussed
d2201cf Changelog for 4.61.2 (#4795)
449251d Required feature update
5c6f22f Fix TypeLoadException (#4792)
239d9d6 MeasureDurationResult incorrect when running in linux (#4785)
Additional commits viewable in compare view

Updates Microsoft.IdentityModel.JsonWebTokens from 5.3.0 to 8.0.2

Release notes

Sourced from Microsoft.IdentityModel.JsonWebTokens's releases.

8.0.1

Bug fixes

IdentityModel now resolves the public key for ECDH. See issue #1951 for details.

Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.

For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

AppContext.TryGetSwitch statically caches internally but takes out a lock. .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

8.0.0

CVE package updates

CVE-2024-30105

See PR #2707 for details.

Breaking change:

Full list of breaking changes.

A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.

Make CollectionUtilities.IsNullOrEmpty internal. See issues update MSAL version AzureAD/microsoft-identity-web#2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.

Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.

The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0

The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.

When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

Remove code that was used in target frameworks that got removed. See PR #2673 for details.

Rename local variables for better readability. See PR #2674 for details.

Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.

Fix flaky test. See issue #2683 for details.

Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.

AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

... (truncated)

Changelog

Sourced from Microsoft.IdentityModel.JsonWebTokens's changelog.

See the releases for details on bug fixes and added features.

8.0.1

Bug fixes

IdentityModel now resolves the public key to EPK. See issue #1951 for details.

Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.

For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

AppContext.TryGetSwitch statically caches internally but takes out a lock. .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

8.0.0

CVE package updates

CVE-2024-30105

See PR #2707 for details.

Breaking change:

Full list of breaking changes.

A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.

Make CollectionUtilities.IsNullOrEmpty internal. See issues update MSAL version AzureAD/microsoft-identity-web#2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.

Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.

The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0

The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.

When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

Remove code that was used in target frameworks that got removed. See PR #2673 for details.

Rename local variables for better readability. See PR #2674 for details.

Refactor XML comments for improved clarity. See PR

…s, Microsoft.Identity.Client, Microsoft.IdentityModel.JsonWebTokens, Microsoft.IdentityModel.Logging, System.Text.Json, System.Text.Encodings.Web, Azure.Identity, Azure.Security.KeyVault.Certificates, Azure.Security.KeyVault.Secrets, Microsoft.AspNetCore.DataProtection, System.Security.Cryptography.Xml, System.Drawing.Common, Microsoft.Extensions.Caching.Memory, Microsoft.Extensions.Logging, Microsoft.Extensions.DependencyInjection, System.Formats.Asn1, System.Security.Cryptography.Pkcs, Microsoft.Extensions.Configuration.Binder, Microsoft.Extensions.Configuration.EnvironmentVariables, Microsoft.Extensions.Configuration, Microsoft.Extensions.Configuration.Json, Microsoft.Extensions.Options.ConfigurationExtensions, Microsoft.IdentityModel.LoggingExtensions, System.IdentityModel.Tokens.Jwt, Microsoft.IdentityModel.Protocols.OpenIdConnect, Microsoft.Extensions.Hosting and Microsoft.IdentityModel.Validators Bumps [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web), [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime), [Microsoft.Identity.Client](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), [Microsoft.IdentityModel.JsonWebTokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet), [Microsoft.IdentityModel.Logging](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet), [System.Text.Json](https://github.com/dotnet/runtime), [System.Text.Encodings.Web](https://github.com/dotnet/runtime), Azure.Identity, Azure.Security.KeyVault.Certificates, Azure.Security.KeyVault.Secrets, [Microsoft.AspNetCore.DataProtection](https://github.com/dotnet/aspnetcore), [System.Security.Cryptography.Xml](https://github.com/dotnet/runtime), [System.Drawing.Common](https://github.com/dotnet/runtime), [Microsoft.Extensions.Caching.Memory](https://github.com/dotnet/runtime), [Microsoft.Extensions.Logging](https://github.com/dotnet/runtime), [Microsoft.Extensions.DependencyInjection](https://github.com/dotnet/runtime), [System.Formats.Asn1](https://github.com/dotnet/runtime), [System.Security.Cryptography.Pkcs](https://github.com/dotnet/runtime), [Microsoft.Extensions.Configuration.Binder](https://github.com/dotnet/runtime), [Microsoft.Extensions.Configuration.EnvironmentVariables](https://github.com/dotnet/runtime), [Microsoft.Extensions.Configuration](https://github.com/dotnet/runtime), [Microsoft.Extensions.Configuration.Json](https://github.com/dotnet/runtime), [Microsoft.Extensions.Options.ConfigurationExtensions](https://github.com/dotnet/runtime), [Microsoft.IdentityModel.LoggingExtensions](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet), [System.IdentityModel.Tokens.Jwt](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet), [Microsoft.IdentityModel.Protocols.OpenIdConnect](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet), [Microsoft.Extensions.Hosting](https://github.com/dotnet/runtime) and [Microsoft.IdentityModel.Validators](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet). These dependencies needed to be updated together. Updates `Microsoft.Identity.Web` from 2.15.3 to 3.1.0 - [Release notes](https://github.com/AzureAD/microsoft-identity-web/releases) - [Changelog](https://github.com/AzureAD/microsoft-identity-web/blob/master/changelog.md) - [Commits](AzureAD/microsoft-identity-web@2.15.3...3.1.0) Updates `Microsoft.Extensions.Logging.Abstractions` from 2.1.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `Microsoft.Identity.Client` from 4.46.0 to 4.61.3 - [Release notes](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/CHANGELOG.md) - [Commits](AzureAD/microsoft-authentication-library-for-dotnet@4.46.0...4.61.3) Updates `Microsoft.IdentityModel.JsonWebTokens` from 5.3.0 to 8.0.2 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commits) Updates `Microsoft.IdentityModel.Logging` from 5.3.0 to 8.0.2 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commits) Updates `System.Text.Json` from 6.0.0 to 8.0.4 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v6.0.0...v8.0.4) Updates `System.Text.Encodings.Web` from 6.0.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v6.0.0...v8.0.0) Updates `Azure.Identity` from 1.10.2 to 1.11.4 Updates `Azure.Security.KeyVault.Certificates` from 4.1.0 to 4.6.0 Updates `Azure.Security.KeyVault.Secrets` from 4.1.0 to 4.6.0 Updates `Microsoft.AspNetCore.DataProtection` from 2.1.0 to 8.0.1 - [Release notes](https://github.com/dotnet/aspnetcore/releases) - [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md) - [Commits](dotnet/aspnetcore@2.1.0...v8.0.1) Updates `System.Security.Cryptography.Xml` from 4.7.1 to 8.0.1 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.1) Updates `System.Drawing.Common` from 4.7.0 to 5.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v5.0.0) Updates `Microsoft.Extensions.Caching.Memory` from 1.0.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `Microsoft.Extensions.Logging` from 2.1.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `Microsoft.Extensions.DependencyInjection` from 2.1.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `System.Formats.Asn1` from 6.0.1 to 8.0.1 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v6.0.1...v8.0.1) Updates `System.Security.Cryptography.Pkcs` from 4.7.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `Microsoft.Extensions.Configuration.Binder` from 2.1.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `Microsoft.Extensions.Configuration.EnvironmentVariables` from 2.1.1 to 6.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v6.0.0) Updates `Microsoft.Extensions.Configuration` from 2.1.0 to 6.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v6.0.0) Updates `Microsoft.Extensions.Configuration.Json` from 3.1.0 to 6.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v6.0.0) Updates `Microsoft.Extensions.Options.ConfigurationExtensions` from 2.1.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v8.0.0) Updates `Microsoft.IdentityModel.LoggingExtensions` from 6.33.0 to 8.0.2 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commits) Updates `System.IdentityModel.Tokens.Jwt` from 5.3.0 to 8.0.2 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commits) Updates `Microsoft.IdentityModel.Protocols.OpenIdConnect` from 5.3.0 to 8.0.2 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commits) Updates `Microsoft.Extensions.Hosting` from 2.1.1 to 6.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](https://github.com/dotnet/runtime/commits/v6.0.0) Updates `Microsoft.IdentityModel.Validators` from 6.33.0 to 8.0.2 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commits) --- updated-dependencies: - dependency-name: Microsoft.Identity.Web dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Logging.Abstractions dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Identity.Client dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: Microsoft.IdentityModel.JsonWebTokens dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.IdentityModel.Logging dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.Text.Json dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.Text.Encodings.Web dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Azure.Identity dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: Azure.Security.KeyVault.Certificates dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: Azure.Security.KeyVault.Secrets dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: Microsoft.AspNetCore.DataProtection dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.Security.Cryptography.Xml dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.Drawing.Common dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Caching.Memory dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Logging dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.DependencyInjection dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.Formats.Asn1 dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.Security.Cryptography.Pkcs dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Configuration.Binder dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Configuration.EnvironmentVariables dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Configuration dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Configuration.Json dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Options.ConfigurationExtensions dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.IdentityModel.LoggingExtensions dependency-type: direct:production update-type: version-update:semver-major - dependency-name: System.IdentityModel.Tokens.Jwt dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Hosting dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.IdentityModel.Validators dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2024-08-22T13:35:40Z

The following labels could not be found: dependabot.

dependabot bot added the dependencies Pull requests that update a dependency file label Aug 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dependabot bot commented on behalf of github Aug 22, 2024

dependabot bot commented on behalf of github Aug 22, 2024

Are you sure you want to change the base?

Conversation

dependabot bot commented on behalf of github Aug 22, 2024

3.1.0

Security improvement:

Bug fixes:

Fundamentals:

What's Changed

New Contributors

3.0.1

3.1.0

Security improvement:

Bug fixes:

Fundamentals:

3.0.1

3.0.0

CVE package updates

Fundamentals:

3.0.0-preview3

3.0.0-preview2

.NET 8.0.0

What's Changed

4.61.3

Bug Fixes

4.61.2

Bug Fixes

4.61.1

New Features

Bug Fixes

4.61.0

New Features

Bug Fixes

4.60.3

Bug Fixes

4.60.2

Bug Fixes

4.60.1

4.60.0

New Features

4.61.3

Bug Fixes

4.61.2

Bug Fixes

4.61.1

New Features

Bug Fixes

4.61.0

New Features

Bug Fixes

4.60.3

Bug Fixes

4.60.2

Bug Fixes

4.60.1

Bug Fixes

8.0.1

Bug fixes

Performance improvement

8.0.0

CVE package updates

Breaking change:

Overall improvements to the validation in IdentityModel:

New Features:

Bug fixes:

Fundamentals

8.0.0-preview1

Breaking changes:

8.0.1

Bug fixes

Performance improvement

8.0.0

CVE package updates

Breaking change:

Overall improvements to the validation in IdentityModel:

New Features:

Bug fixes:

Fundamentals

dependabot bot commented on behalf of github Aug 22, 2024