[deps]: Update System.IdentityModel.Tokens.Jwt to v8 #15
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.36.0
->8.3.0
Release Notes
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)
v8.3.0
Compare Source
=====
New features
Work related to redesign of IdentityModel's token validation logic #2711
Bug fixes
Fundamentals
New Contributors
v8.2.1
Compare Source
=====
New features
Bug fixes
Fundamentals
SecurityTokenDescriptor
. See 2993.Work related to redesign of IdentityModel's token validation logic #2711
IssuerExtensibility
. See 2987.v8.2.0
Compare Source
=====
Fundamentals
Work related to redesign of IdentityModel's token validation logic #2711
v8.1.2
Compare Source
=====
Bug fixes
CaseSensitiveClaimsIdentity
as expected. See 2879Fundamentals
v8.1.1
Compare Source
=====
Bug fixes
v8.1.0
Compare Source
=====
Performance improvements
New features
Bug fixes
Fundamentals
IsTargetFrameworkCompatible(*)
so AOT is forward-compatible with .NET 9 and beyond. See PR #2790 for details.[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #2820.
Work related to redesign of IdentityModel's token validation logic #2711
v8.0.2
Compare Source
=====
Security fundamentals
BannedApiAnalyzers
to prevent use ofClaimsIdentity
constructors. See PR #2778 for details.Bug fixes
UseRfcDefinitionOfEpkAndKid
switch. See PR #2747 for details.DoNotFailOnMissingTid
in 7x andDontFailOnMissingTid
in 8x, adding the method for back compat. See issue #2750 for details.JsonWebKeySet
stores the original string it was created with. See PR #2755 for details.SignatureProvider
. See #2788 for details.Fundamentals
9.0.100-preview.7.24407.12
and add<NoWarn>$(NoWarn);SYSLIB0057</NoWarn>
due to breaking changes in preview7. #2786.Work relating to #2711
v8.0.1
Compare Source
=====
Bug fixes
SignatureProvider
was disposed but still able to leverage the cache andSignatureProvider
now disposes when compacting. See PR #2682 for details.JsonWebTokenHandler.ValidateJWEAsync
now considers the decrypt keys in the configuration. See issue #2737 for details.Performance improvement
AppContext.TryGetSwitch
statically caches internally but takes out a lock..NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.
v8.0.0
Compare Source
=====
CVE package updates
CVE-2024-30105
Breaking change:
Full list of breaking changes.
ClaimsIdentity
where claim retrieval is case-sensitive. The currentClaimsIdentity
, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken
. The newCaseSensitiveClaimsIdentity
class provides consistent retrieval logic withSecurityToken
. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.CollectionUtilities.IsNullOrEmpty
internal. See issues**https://redirect.github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2651dotnet/issues/2651) and #1722 for details.Overall improvements to the validation in IdentityModel:
New Features:
Stream
toWrite
inOIDCConfigurationSerializer
. See PR #2698 for details.Bug fixes:
AadIssuerValidator.GetTenantIdFromToken
inValidateIssuerSigningKey
, to only consider thetid
. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.authorization_details_types_supported
from RFC 9396 - OAuth 2.0 Rich Authorization Requests toOpenIdConnectConfiguration
.OpenIdConnectPrompt
now has thecreate
prompt from Initiating User Registration via OpenID Connect 1.0OpenIdConnectGrantTypes
:urn:ietf:params:oauth:grant-type:saml2-bearer
from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants,urn:ietf:params:oauth:grant-type:jwt-bearer
from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants,urn:ietf:params:oauth:grant-type:device_code
from RFC 8628 - OAuth 2.0 Device Authorization Grant,urn:ietf:params:oauth:grant-type:token-exchange
from RFC 8693 - OAuth 2.0 Token Exchange,urn:openid:params:grant-type:ciba
from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0NotImplementedException
. Now a message is returned that the user can act on to fix the issue. See issue #1970.Fundamentals
ConfigurationManager.GetConfigurationAsync
a virtual method. See PR #2661v7.7.1
Compare Source
7.7.1
Bug Fix
JsonSerializerPrimitives.TryAllStringClaimsAsDateTime
which was removed as it is in an internal class, but due toInternalsVisibleTo
can lead to aMissingMethodException
if IdentityModel versions are not aligned. See PR #2734 for details.v7.7.0
7.7.0
CVE package updates
CVE-2024-30105
ClaimsIdentity
where claim retrieval is case-sensitive. The currentClaimsIdentity
, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken
. The newCaseSensitiveClaimsIdentity
class provides consistent retrieval logic withSecurityToken
. Opt in to the new behavior via an AppContext switch. See PR #2715 for details.v7.6.2
Compare Source
7.6.2
Bug Fix:
AadIssuerValidator
by not usingstring.Replace
where appropriate due to an index out-of-range error.v7.6.1
Compare Source
=====
New Features:
Bug Fixes:
IDX14100
. See issue #2058 and PR #2618 for details.JwtRegisteredClaimNames
now contains previously missing Standard OpenIdConnect claims. See issue #1598 for details.Performance Improvements:
v7.6.0
Compare Source
=====
New Features:
JsonWebToken
- extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #2581, #2583, and #2495 for details.Bug Fixes:
Performance Improvements:
Fundamentals:
Microsoft.IdentityModel.Tokens
delegates to a new file. See PR #2606v7.5.2
Compare Source
=====
Bug Fixes:
Fundamentals:
Performance Improvements:
VerifyRsa
/VerifyECDsa
. See PR #2589 for more details.ValidateSignature
by using a collection expression instead ofnew List<SecurityKey> { key }
, to optimize for the single element case. See PR #2586 for more details.AadIssuerValidator
. See PR #2584 for more details.v7.5.1
Compare Source
=====
Performance Improvements:
Fundamentals:
Bug Fix:
UserInfoEndpoint
. See issue #2548 for details.v7.5.0
=====
New features
v7.4.1
======
Bug Fixes:
SamlSecurityTokenHandler
andSaml2SecurityTokenHandler
now can fetch configuration when validating SAML issuer and signature. See PR #2412JsonWebToken.ReadToken
now correctly checks Dot3 index in JWE. See PR #2501Engineering Excellence:
Microsoft.IdentityModel.Logging
inMicrosoft.IdentityModel.Protocols
, which already depends on it viaMicrosoft.IdentityModel.Tokens
. See PR #2508build.sh
, improving speed. See PR #2521v7.4.0
======
New Features:
Performance Improvements:
Fundamentals:
Engineering Excellence:
v7.3.1
Compare Source
======
Bug Fixes:
MetadataName
constant. See issue #2471 for details.Performance Improvements:
Documentation:
azp
inJsonWebToken
. See #2475 for details.v7.3.0
Compare Source
======
New Features:
Addition of the ClientCertificates property to the HttpRequestData class enables exposure of certificate collection involved in authenticating the client against the server and unlock support of new scenarios within the SDK. See PR #2462 for details.
Bug Fixes:
Fixed bug where x5c property is empty in JwtHeader after reading a JWT containing x5c in its header, issue #2447, see PR #2460 for details.
Fixed bug where JwtPayload.Claim.Value was not culture invariant #2409. Fixed by PRs #2453 and #2461.
Fixed bug where Guid values in JwtPayload caused an exception, issue #2439. Fixed by PR #2440.
Performance Improvements:
Remove linq from BaseConfigurationComparer, improvement #2464, for additional details see PR #2465.
Engineering Excellence:
New benchmark tests for AsymmetricAdapter signatures. For details see PR #2449.
v7.2.0
Compare Source
======
Performance Improvements:
Reduce allocations and transformations when creating a token #2395.
Update Esrp Code Signing version to speed up release build #2429.
Engineering Excellence:
Improve benchmark consistency #2428.
Adding P50, P90 and P100 percentiles to benchmarks #2411.
Decouple benchmark tests from test projects #2413.
Include pack step in PR builds #2442.
Fundamentals:
Improve logging in Wilson for failed token validation when key not found #2436.
Remove conditional Net8.0 compilation #2424.
v7.1.2
Compare Source
======
Security fixes:
See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.
v7.0.3
Compare Source
======
Bug Fixes:
AddMicrosoftIdentityWebApp
to .NET 8. See PR for details.v7.0.2
Compare Source
======
Bug Fixes:
v7.0.1
Compare Source
======
Bug Fixes:
v7.0.0
Compare Source
======
See IdentityModel7x for the updates on this much anticipated release.
Configuration
📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.