Skip to content

Bump Microsoft.Identity.Web from 3.6.2 to 4.8.0#215

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/nuget/2-Call-OwnApi/TodoList-WebApi/Microsoft.Identity.Web-4.8.0
Closed

Bump Microsoft.Identity.Web from 3.6.2 to 4.8.0#215
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/nuget/2-Call-OwnApi/TodoList-WebApi/Microsoft.Identity.Web-4.8.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Updated Microsoft.Identity.Web from 3.6.2 to 4.8.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

4.4.0-preview.1

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

4.3.0

New features

  • Added token binding (mTLS PoP) scenario for confidential client (app-only) token acquisition and downstream API calls. See #​3622.

Dependencies updates

  • Bumped qs from 6.14.0 to 6.14.1 in /tests/DevApps/SidecarAdapter/typescript. See #​3660.

Documentation

  • Modernized Identity Web documentation, which is now can be found in docs. See #​3566.
  • Added token binding (mTLS PoP) documentation. See #​3661.

4.2.0

What's Changed

New features

  • Added CAE claims support for FIC + Managed Identity. See #​3647 for details.
  • Added AddMicrosoftIdentityMessageHandler extension methods for IHttpClientBuilder. See #​3649 for details.

Bug fixes

  • Fixed tenant not being propagated in credential FIC acquisition. See #​3633 for details.
  • Fixed ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName. See #​3635 for details.
  • Fixed GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties. See #​3651 for details.
  • Added meaningful error message when identity configuration is missing. See #​3637 for details.

Dependencies updates

  • Update Microsoft.Identity.Abstractions to version 10.0.0.
  • Bump express from 5.1.0 to 5.2.0 in /tests/DevApps/SidecarAdapter/typescript. #​3636
  • Bump jws from 3.2.2 to 3.2.3 in /tests/DevApps/SidecarAdapter/typescript. #​3641

Fundamentals

  • Update support policy. #​3656
  • Update agent identity coordinates in E2E tests after deauth. #​3640
  • Update E2E agent identity configuration to new tenant. #​3646

Full Changelog: AzureAD/microsoft-identity-web@4.1.1...4.2.0

4.1.1

Bug fixes

  • Authority-only configuration parsing improvements: Early parsing of Authority into Instance/TenantId and defensive fallback in PrepareAuthorityInstanceForMsal. Behavior is backward compatible; Authority is still ignored when Instance/TenantId explicitly provided—now surfaced via a warning. See #​3612.

New features

  • Added warning diagnostics for conflicting Authority vs Instance/TenantId: Emitting a single structured warning when both styles are provided. See #​3611.

Fundamentals

  • Expanded authority test matrix: Coverage for AAD (v1/v2), B2C (/tfp/ normalization, policy path), CIAM (PreserveAuthority), query parameters, scheme-less forms, and conflict scenarios. See #​3610.

4.1.0

New features

Dependencies updates

  • Bump MSAL.NET to version 4.79.2 and handle changes to deprecated WithExtraQueryParameters APIs. #​3583
  • Update Microsoft.IdentityModel and Abstractions versions. #​3604
  • Update coverlet.collector to 6.0.4. #​3587
  • Update package validation baseline version to 4.0.0. #​3589
  • Bump js-yaml from 4.1.0 to 4.1.1 in /tests/DevApps/SidecarAdapter/typescript. #​3595

Entra ID SDK sidecar

  • Restrict hosts to localhost for sidecar. #​3579
  • Update http file to match endpoints. #​3555
  • Revise sidecar issue template for Entra ID. #​3577

Documentation

  • Update README to include Entra SDK container info. #​3578

Fundamentals

  • Include NET 9.0 in template-install-dependencies. #​3593
  • Fix CodeQL alerts. #​3591
  • Suppression file is needed. #​3592

4.0.1

Bugs fixes

  • Correctly compute Application Key when credential usage fails.
  • Fix bugs where agent user identities didn't work with non-default authentication schemes.

Fundamentals

  • Update .net version to CG compliance

Sidecar

  • Configure Sidecar to default AllowWebApiToBeAuthorizedByACL to true as the container doesn't do authZ

4.0.0

4.0.0

Breaking Changes

Removed support for .NET 6.0 and .NET 7.0 - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.

See MIGRATION_GUIDE_V4

New features

  • Various improvements to performance logging, authentication, and credential loading capabilities.
  • Bumped MSAL.NET to 4.77.1
  • Added credential description extensibility. For details, see #​3487
  • Added a new CerticateObserverAction type: SuccessfullyUsed and support for multiple certificate observers for improved certificate lifecycle management and telemetry. See #​3505
  • Add specification of OID (in addition to upn) when requesting an authorization header for Agent User Identity. See #​3513
  • Added ClaimsPrincipal and ClaimsIdentity extension methods for agent identity detection in web APIs enabling developers to easily detect agent identities and retrieve parent agent blueprint from token claims. See #​3515
  • Added MicrosoftIdentityMessageHandler for flexible HttpClient authentication. Provides composable alternative to DownstreamApi with per-request authentication configuration. Supports WWW-Authenticate challenge handling. See #​3503
  • Support for multiple certificate observers. See #​3506
  • The Microsoft.Identity.Web.Sidecar will provide a container solution for validation and token acquisition in any-language. See #​3524

Bug Fixes

  • Fixed TokenAcquirerFactory null reference when AppContext.BaseDirectory is root path. See #​3443
  • Fixed IDW10405 error when using managed identity with common tenant. See #​3415
  • Removed hard dependency on IConfiguration in OidcIdpSignedAssertionLoader. See #​3414

Fundamentals

  • Various improvements to .NET support and dependency optimizations.
  • Added doc for Agent identities. See Agent identities
  • Combined and fixed test collections. See #​3472
  • Migrate repository agent rules from .clinerules to agents.md. See #​3475
  • Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See #​3489
  • Renamed NET 7 tests to ThreadingTests for framework independence. See #​3501

3.14.1

3.14.1

Bug fixe

  • Support client secrets with agent user identities. See #​3470 for details.

3.14.0

New features

  • Support multi-tenant agent user identities. See #​3461 for details.
  • Id Web now allows for passing of ExtraBodyParameters. See #​3463 for details.

3.13.1

3.13.1

Dependencies updates

  • Microsoft.IdentityModel updated to version 8.14.0.

3.13.0

3.13.0

Dependencies updates

  • Microsoft.IdentityModel updated to version 8.13.1.
  • Microsoft.Abstractions updated to version 9.3.0 and using IAuthenticationSchemeInformationProvider from that library, deprecating the interface of the same name in Microsoft.Identity.Web (introduced in 3.12.0).

Bug fixes

  • Fixed an issue with instantiation of TokenAcquirerFactory when AppContext.BaseDirectory is root path. See PR #​3443 for details.

Fundamentals

3.12.0

3.12.0

Dependencies updates

  • Updated MSAL to version 4.74.1 part of #​3398.

Bug fix

Reload certificates for all client credential based issues to solve the issue that when a bad certificate was installed on the machine and picked up, and subsequently rotated, a service restart was needed for the new certificate to be used. See issue #​3429 and PR #​3430

New features

  • Include the thrown exception in CertificateChangeEventArg. See PR #​3428 for better supportabiliby.
  • Support for Agent User identities. See PR #​3435

3.11.0

3.11.0

Dependencies updates

  • Updated global.json to the latest .NET 9 runtime framework 9.0.108. See PR #​3422 for details.

Bug fixes

  • Fix IDW10405 error when using managed identity with common tenant. See PR #​3415 for details.
  • Fix OidcIdpSignedAssertionLoader to remove hard dependency on IConfiguration registration. See PR #​3414 for details.

New feature

  • Add support for ExtraHeaderParameters and ExtraQueryParameters properties on DownstreamApiOptions to simplify adding custom headers and query parameters to downstream API requests. See PR #​3413 for details.
  • Add better support for Azure SDK. For details see Readme-Azure and PR #​3416

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.10.0...3.11.0

3.10.0

3.10.0

Dependencies updates

  • Updated MSAL to version 4.73.1 (#​3398).
  • Updated global.json to the latest .NET 9 runtime framework 9.0.107 (#​3385).

New feature

  • Added support for Agent Identities (#​3396, #​3402).
    introducing the Microsoft.Identity.Web.AgentIdentities package .

Bug fixes

  • Processed codeQL issues

Fundamentals

  • improved unit tests for OidcFic with the new SignedAssertionFmiPath

3.9.4

3.9.4

Package updates

  • Microsoft.IdentityModel updated to version 8.12.1.

Bug fix

  • Updates the DefaultAuthorizationHeaderProvider to update the AcquireTokenOptions.LongRunningWebApiSessionKey after the token is acquired so that the key can be used in the next OBO call. See PR #​3381 for details.

Fundamentals

  • Update .NET SDK version to 9.0.107 used when building or running the code. See #​3385 for details.
  • Improved test coverage for managed identity flows. See #​3350 for details.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.3...3.9.4

3.9.3

3.9.3

Package updates

  • Microsoft.IdentityModel updated to version 8.12.0.

Fundamentals

  • Add .clinerules to help with AI tooling.
  • Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0 Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added). For details see #​3379

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.2...3.9.3

3.9.2

3.9.2

Package updates

Fundamentals:

  • Fix invalid comparisons in prop and csproj files. For details see #​3297.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.1...3.9.2

3.9.1

3.9.1

Package updates

  • Microsoft.Identity.Abstractions updated to version 9.1.0.

Fundamentals

  • Fix AoT warnings. For details see #​3366.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.0...3.9.1

3.9.0

3.9.0

Package updates

Bug fixes

  • Fixed issue where RequiredScopeOrAppPermission extension method didn’t work with Minimal APIs. See #​3323.
  • Resolved IL warnings from AddDownstreamApis in NativeAOT projects. See #​3355.
  • Ensured AcquireTokenForConfidentialClient correctly passes MSAL exceptions. See #​3345.
  • Prevented null reference when accessing MergedOptions instance. See #​3337.

New feature

  • Added optional login_hint and domain_hint support to AccountController.SignIn endpoint. See #​3244 and #​3348.

Fundamentals

  • Introduced Long-Term Support (LTS) policy. See #​3357.
  • Added tests to validate xms_cc (client capability) forwarding in CCA flows. See #​3349.

External contributions

Thank you @​evan-buss for your contribution and fixing the issue where RequiredScopeOrAppPermission extension method didn’t work with Minimal APIs. See #​3323.
Thank you @​neha-bhargava for your contribution and ensuring AcquireTokenForConfidentialClient correctly passes MSAL exceptions. See #​3345.

3.8.4

3.8.4

Package updates

Bug fixes

  • Fixed the issue where FmiPath was not persisted when copying/reinitializing AcquireTokenOptions. See #​3336.

New feature

Fundamentals

  • Removed System.Text.Json as an explicit dependency for .NET Core targets. See #​3331.

3.8.3

3.8.3

Package updates

New feature

  • TokenAcquistion.cs adds its service provider to the acquisition options. See issue #​3315 for details.

3.8.2

3.8.2

  • Updated to Microsoft.Identity.Abstractions 9.0.0

New feature

  • An exception is now thrown if MSAL TokenCacheNotificationArgs indicates that distributed cache is configured when it should not have been. See #​3304.
  • Added support for federated identity credentials with AT_POP. See #​3299.

3.8.1

New features

  • Updated to Microsoft.IdentityModel.* 8.7.0

Bug fixes

  • Pins Microsoft.Extensions.Http dependency version to 3.1.3 for .NET Framework and .NET Standard and uses inbox version for .NET Core. See #​3145.

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.8.0...3.8.1

3.8.0

3.8.0

New feature

  • Updated to Microsoft.IdentityModel.* 8.6.1
  • Updated to MSAL.NET 4.69.1
  • Updated the Json Schema to include extensiblity for signed assertion providers. See #​3235
  • Added support for Federation Identity Credential on any OIDC Idp (FIC+OIDC credential provider). See #​3255
  • Support for acquiring token for Federation Managed Identity (FMI). Supports the FmiPath property of AcquireTokenOptions. See #​3247
  • Downstream APIs now support Authorization headers with a custom SAML bearer syntax. See #​3273

Bug fixes

  • TokenAcquirerFactory is now thread safe. See #​3274
  • Fix a bug in the parsing of the token in the authority. See #​3261

Fundamentals

  • Removed old Blazorwasm sample, wasm-tools and added new blazor web API: #​3259, #​3257, #​3254
  • Modified the build so that, in CI/CD internal builds, the NuGet.olg NuGet source is replaced by a managed Nuget source. More verbose information added. See #​3263
  • Fixed CS8602 Warnings in Weather.razor (BlazorApp) – Handle Nullable forecasts and user.Identity. See #​3266,

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.7.1...3.8.0

3.7.1

3.7.1

  • Updated to Microsoft.IdentityModel.* 8.5.0

3.7.0

3.7.0

  • Updated to Microsoft.Identity.Abstractions 8.1.0
  • Updated to Microsoft.IdentityModel.* 8.4.0

New Feature

  • IdentityWeb now provides extensibility to DefaultCredentialsLoader so that partner teams, or an SDK on top of IdWeb, can bring their own credential providers. See #​3220 for details.

Bug fixes

  • The merged options are now being passed to MSAL for the CCA ROPC scenario. See #​3207 for details.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.6.2...3.7.0

Commits viewable in compare view.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump Microsoft.Identity.Web from 3.6.2 to 4.8.0
1a71a90 
---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.8.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 27, 2026

Labels

The following labels could not be found: dependabot. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 27, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 27, 2026

Superseded by #216.

@dependabot dependabot Bot closed this Apr 27, 2026
@dependabot dependabot Bot deleted the dependabot/nuget/2-Call-OwnApi/TodoList-WebApi/Microsoft.Identity.Web-4.8.0 branch April 27, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants