Microsoft.AspNetCore.Authentication.JwtBearer Old IdentityModel reference breaks Microsoft.IdentityModel.JsonWebTokens behavior.

[rcollette]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Microsoft.AspNetCore.Authentication.JwtBearer is pulling in older references for Microsoft.IdentityModel.Protocols and Microsoft.IdentityModel.OpenIdConnect.

When using JwtBearer Authentication configured like the following

    private void ConfigureJwtBearerAuthentication(IServiceCollection services)
    {
        // Do not specify the scheme here since we want multiple scheme names.
        services.AddAuthentication()

            // See https://developer.okta.com/blog/2018/03/23/token-authentication-aspnetcore-complete-guide
            // JWT bearer authentication will use the OIDC well-known endpoint
            .AddJwtBearer(
                JwtBearerDefaults.AuthenticationScheme,
                configureOptions: options =>
                {
                    // The address of the authorization server
                    options.Authority = _jwtBearerAuthenticationConfiguration.Authority;
...

Validation of tokens will fail with the following error

IDX10500: Signature validation failed. No security keys were provided to validate the signature

My workaround was to explicitly reference packages in my project

    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.0.2"/>
    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.2" />

Expected Behavior

Releases of the Microsoft.AspNetCore.Authentication.JwtBearer package should be in concert with the rest of Microsoft.AspNetCore packages and have peer references that match as do other Microsoft.AspNetCore packages

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.401

Anything else?

Rider IDE

.NET SDK:
Version: 8.0.401
Commit: 811edcc344
Workload version: 8.0.400-manifests.56cd0383
MSBuild version: 17.11.4+37eb419ad

Runtime Environment:
OS Name: Mac OS X
OS Version: 14.6
OS Platform: Darwin
RID: osx-arm64
Base Path: /usr/local/share/dotnet/sdk/8.0.401/

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
There are no installed workloads to display.

Host:
Version: 8.0.8
Architecture: arm64
Commit: 08338fcaa5

.NET SDKs installed:
7.0.404 [/usr/local/share/dotnet/sdk]
8.0.100 [/usr/local/share/dotnet/sdk]
8.0.101 [/usr/local/share/dotnet/sdk]
8.0.200 [/usr/local/share/dotnet/sdk]
8.0.203 [/usr/local/share/dotnet/sdk]
8.0.204 [/usr/local/share/dotnet/sdk]
8.0.300 [/usr/local/share/dotnet/sdk]
8.0.302 [/usr/local/share/dotnet/sdk]
8.0.303 [/usr/local/share/dotnet/sdk]
8.0.400 [/usr/local/share/dotnet/sdk]
8.0.401 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 7.0.14 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.1 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.2 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.4 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.6 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.7 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.8 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 7.0.14 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.2 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.6 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.7 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.8 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
None

Environment variables:
Not set

[mkArtakMSFT]

Thanks for contacting us. What you've done is correct and that's exactly what we recommend customers to do in this case.

The reason we had decided not to update our dependencies in a patch was because updating could have caused other breaking changes in customer apps. Hence, there was no clear "better option" given the situation. We have fixed this in .NET 9 though.

[josephdecock]

@mkArtakMSFT do you have a recommendation for library authors who have dependencies on the Microsoft.IdentityModel libraries? Is there a recommendation for which version of the M.IM.* libraries to depend on from a package that is intended to be consumed side-by-side with the ASP.NET authentication handlers?

I think the simplest thing to do is to require at least version 8.0 or greater of the M.IM.* libs that I depend on. My worry is that folks will install my lib side by side with a handler and resolve incompatible versions of the various wilson packages.