Skip to content

chore(deps): update dependency system.identitymodel.tokens.jwt to v8 #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency system.identitymodel.tokens.jwt to v8 #60

wants to merge 1 commit into from

Conversation

descope[bot]
Copy link
Contributor

@descope descope bot commented Mar 28, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change Pending OpenSSF
System.IdentityModel.Tokens.Jwt nuget major 7.7.1 -> 8.7.0 8.9.0 (+1) OpenSSF Scorecard

Release Notes

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)

v8.7.0

Compare Source

=====

Bug Fixes

  • Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #​3181.

New Features

  • Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #​3165.

v8.6.1

Compare Source

=====

Bug fix

  • Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #​3148 for details.
  • Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #​3003 for details.

Fundamentals

  • For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #​2995 for details.

v8.6.0

Compare Source

=====

New Features

  • TokenValidationParameters has a new boolean property TryAllDecryptionKeys that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #​3128
  • Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See #​3140

Fundamentals

  • Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See 3143
  • Add more tests for encrypted tokens. See #​3139

v8.5.0

Compare Source

=====

Reverting previous breaking change

  • The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that adding IDisposable is a breaking change, so we are following semver guidance and reverting and releasing a minor version (8.5.0).
  • Cherry-picked Changes: Included changes from PR #​3022 and #​3104.

v8.4.0

Compare Source

=====

New Features

  • App context switch allows blocking or non-blocking calls for configuration. See PR #​3106 for details and issue #​3082 for details.
  • IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See #​3094 for details.
  • IdentityModel now allows specifying the HTTP protocol version and version policy. See #​2808 for details.

Repair items

  • Add request count and duration telemetry for configuration requests. See #​3022 for details.
  • KeyID should be present in exception messages and is no longer PII. See #​3104 for details.

Fundamentals

  • Fix spelling issues in xml comments. See #​3117 for details.
  • Fix comment coverage in PR builds. See #​3079 for details.
Work related to redesign of IdentityModel's token validation logic #​2711

v8.3.1

Compare Source

=====

Bug Fixes

  • Respect TVP.RequireAudience when set to false. See #​3055
  • For net4.6.2 select RSACng for PSS support. See #​3097
  • Fix package downgrade in consuming libraries. See#​3062
  • Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

  • Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
  • Upgrade to C# 13. See #​2998
  • Use new Base64Url API. See #​22817
  • Add warning quality check. See #​3067
  • Update dotnet actions. see #​3074
  • Fix warnings. See #​3081
  • Test updates in JsonWebToken. See #​3080.
Work related to redesign of IdentityModel's token validation logic #​2711

v8.3.0

Compare Source

=====

New features

Work related to redesign of IdentityModel's token validation logic #​2711

Bug fixes

Fundamentals

New Contributors

v8.2.1

Compare Source

=====

New features
  • Update to use .NET 9 GA. See 2990.
Bug fixes
  • Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
  • Update cgmanifest to align with the JSON schema. See 2969.
Fundamentals
  • Streamline token creation by using SecurityTokenDescriptor. See 2993.
  • Prevent inlining to guarantee stack frames in test. See 2999.
Work related to redesign of IdentityModel's token validation logic #​2711
  • Simplify stack frame caching. See 2976.
  • Implement new model for reading SAML and SAML2 tokens. See 2980.
  • Implement new model for validating SAML signature. See 2950.
  • Add tests for IssuerExtensibility. See 2987.
  • Switch to new validation model for SAML and SAML2 issuer signing key. See 2965.
  • Switch to new validation model for SAML and SAML2 algorithm. See 2984.

v8.2.0

Compare Source

=====

Fundamentals
Work related to redesign of IdentityModel's token validation logic #​2711
  • Validates Audience for SAML2TokenHandler with New Model 2863
  • Improvements to AudienceValidation 2902
  • Added properties to ValidationResult 2923
  • Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
  • Implements Issuer validation in SamlSecurityTokenHandler 2948

v8.1.2

Compare Source

=====

Bug fixes
  • CaseSensitiveClaimsIdentity.Clone() now returns a CaseSensitiveClaimsIdentity as expected. See 2879
  • Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling. See 2888. No major version changed needed as these APIs were not usable per se.
Fundamentals
  • Enabled PublicApiAnalyzers to better understand and trace changes to the public API. See2782

v8.1.1

Compare Source

=====

Bug fixes
  • Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

v8.1.0

Compare Source

=====

Performance improvements
  • Improves performance during issuer validation by replacing string comparison with span comparison. See PR #​2826.
New features
  • Add optional check to prevent using keys that are shared across multiple clouds. See issue #​2832 for details.
Bug fixes
  • JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #​2695 for details.
Fundamentals
  • Fix flaky tests. See #​2793 for details.
  • Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #​2796 for details.
  • Onhboard to code coverage in ADO. See PR #​2798.
  • Use IsTargetFrameworkCompatible(*) so AOT is forward-compatible with .NET 9 and beyond. See PR #​2790 for details.
  • Fix a merge conflict impacting dev. See PR #​2819.
  • Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #​2820.
  • Remove perl dependency. See PR #​2830.
Work related to redesign of IdentityModel's token validation logic #​2711

v8.0.2

Compare Source

=====

Security fundamentals
  • Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #​2778 for details.
Bug fixes
  • IdentityModel now allows the JWT payload to be an empty string. See issue #​2656 for details.
  • Cache UseRfcDefinitionOfEpkAndKid switch. See PR #​2747 for details.
  • Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #​2750 for details.
  • Metadata is now updated on a background thread. See #​2780 for details.
  • JsonWebKeySet stores the original string it was created with. See PR #​2755 for details.
  • Restore AOT compatibility. See #​2711.
  • Fix OpenIdConnect parsing bug. See #​2772 for details.
  • Remove the lock on creating a SignatureProvider. See #​2788 for details.
Fundamentals
  • Test clean up #​2742.
  • Use only FxCop in .NET framework targets #​2693.
  • Add rule to add file headers automatically #​2748.
  • Code analysis updates #​2746.
  • Include README packages in NuGet #​2752.
  • Update projects inside WilsonUnix solution #​2768.
  • Code style enforced in build #​2603.
  • CodeQL update #​2767.
  • Update build pipeline to new one release build format #​2777.
  • Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #​2786.
Work relating to #​2711

v8.0.1

Compare Source

=====

Bug fixes
  • IdentityModel now resolves the public key to EPK. See issue #​1951 for details.
  • Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #​2682 for details.
  • For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #​2737 for details.
Performance improvement

v8.0.0

Compare Source

=====

CVE package updates

CVE-2024-30105

Breaking change:

Full list of breaking changes.

Overall improvements to the validation in IdentityModel:
  • See design proposal #​2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.
New Features:
  • Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #​2698 for details.
Bug fixes:
Fundamentals
  • Remove code that was used in target frameworks that got removed. See PR #​2673 for details.
  • Rename local variables for better readability. See PR #​2674 for details.
  • Refactor XML comments for improved clarity. See PR #​2676, #​2677, #​2678, #​2689 and #​2703 for details.
  • Fix flaky test. See issue #​2683 for details.
  • Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #​2661

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@descope descope bot added the renovate label Mar 28, 2025
@descope descope bot force-pushed the renovate/major-8-dotnet-azure-ad-identitymodel-extensions-monorepo branch 4 times, most recently from 3406971 to 6a02a76 Compare April 2, 2025 15:42
@descope descope bot force-pushed the renovate/major-8-dotnet-azure-ad-identitymodel-extensions-monorepo branch 2 times, most recently from b13a708 to 439b5d9 Compare April 9, 2025 21:42
@descope descope bot force-pushed the renovate/major-8-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 439b5d9 to d6e58ed Compare April 11, 2025 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants