Post-release steps for 4.9.0

Directory.Build.props

@@ -4,7 +4,7 @@
     <!-- This needs to be greater than or equal to the validation baseline version. The conditional logic around TargetNetNext is there
     to avoid NU5104 for packing a release version library with prerelease deps. By adding preview to it, that warning is avoided.
     -->
-    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.8.1</MicrosoftIdentityWebVersion>
+    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.9.1</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
     <EnablePackageValidation>true</EnablePackageValidation>

changelog.md

@@ -1,3 +1,20 @@
+## 4.9.0
+
+### New features
+- **Sidecar: per-route override gating.** New `Sidecar:AllowOverrides` configuration section provides explicit, per-route control over whether `optionsOverride.*` query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. `optionsOverride.BaseUrl` is unconditionally rejected on all routes as a hardening measure. See [#3794](https://github.com/AzureAD/microsoft-identity-web/pull/3794).
+
+### Bug fixes
+- Fix `AccountController.Challenge` redirect URI validation to reject percent-encoded protocol-relative bypasses (`%2F%2F`, `%5C%2F`, etc.) that could be decoded by misconfigured reverse proxies. See [#3792](https://github.com/AzureAD/microsoft-identity-web/pull/3792).
+
+### Behavior changes
+- **DownstreamApi: reserved header filtering.** Headers supplied via `DownstreamApiOptions.ExtraHeaderParameters` whose names match reserved HTTP headers (`Authorization`, `Host`, `Content-Length`, `Proxy-Authorization`, `Sec-*`, `Proxy-*`, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (`ReservedHeaderIgnored` / `DuplicateHeaderIgnored`) is emitted so operators can spot misconfigurations. No exception is thrown. See [#3793](https://github.com/AzureAD/microsoft-identity-web/pull/3793).
+
+### Dependencies updates
+- **Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.\* 8.0.x minimum on older TFMs.** Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on `Microsoft.Extensions.DependencyInjection.Abstractions` 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a `CS0433` type collision with the previously-pinned `Microsoft.Extensions.DependencyInjection` 2.1.0. The entire `Microsoft.Extensions.*` stack on these older TFMs has been bumped to 8.x for consistency. **If your application targets net462, net472, or netstandard2.0**, your resolved `Microsoft.Extensions.*` versions will increase (e.g., `Extensions.Http` 3.1.3 → 8.0.0, `Extensions.DependencyInjection` 2.1.0 → 8.0.0, `Extensions.Caching.Memory` 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See [#3787](https://github.com/AzureAD/microsoft-identity-web/pull/3787).
+- Bump `System.Text.Json` 8.0.5 → 8.0.6 (CVE-2024-43485). See [#3787](https://github.com/AzureAD/microsoft-identity-web/pull/3787).
+- Bump `Microsoft.AspNetCore.DataProtection` to 10.0.7 for CVE fix on net10.0. See [#3796](https://github.com/AzureAD/microsoft-identity-web/pull/3796).
+- Bump `OpenTelemetry.Exporter.OpenTelemetryProtocol` 1.14.0 → 1.15.3. See [#3788](https://github.com/AzureAD/microsoft-identity-web/pull/3788).
+
 ## 4.8.0
 
 ### New features

src/Microsoft.Identity.Web.Certificate/PublicAPI/PublicAPI.Shipped.txt

@@ -37,8 +37,8 @@ Microsoft.Identity.Web.DefaultCredentialsLoader.LoadFirstValidCredentialsAsync(S
 Microsoft.Identity.Web.DefaultCredentialsLoader.ResetCredentials(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.CredentialDescription!>! credentialDescriptions) -> void
 Microsoft.Identity.Web.ICertificateLoader
 Microsoft.Identity.Web.ICertificateLoader.LoadIfNeeded(Microsoft.Identity.Web.CertificateDescription! certificateDescription) -> void
-static Microsoft.Identity.Web.CertificateDescription.FromBase64Encoded(string! base64EncodedValue, string! password) -> Microsoft.Identity.Web.CertificateDescription!
 static Microsoft.Identity.Web.CertificateDescription.FromBase64Encoded(string! base64EncodedValue) -> Microsoft.Identity.Web.CertificateDescription!
+static Microsoft.Identity.Web.CertificateDescription.FromBase64Encoded(string! base64EncodedValue, string! password) -> Microsoft.Identity.Web.CertificateDescription!
 static Microsoft.Identity.Web.CertificateDescription.FromCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2! x509certificate2) -> Microsoft.Identity.Web.CertificateDescription!
 static Microsoft.Identity.Web.CertificateDescription.FromKeyVault(string! keyVaultUrl, string! keyVaultCertificateName) -> Microsoft.Identity.Web.CertificateDescription!
 static Microsoft.Identity.Web.CertificateDescription.FromPath(string! path, string? password = null) -> Microsoft.Identity.Web.CertificateDescription!

src/Microsoft.Identity.Web.Certificateless/PublicAPI/PublicAPI.Shipped.txt

@@ -18,8 +18,8 @@ Microsoft.Identity.Web.ClientAssertionProviderBase.ClientAssertionProviderBase()
 Microsoft.Identity.Web.ClientAssertionProviderBase.Expiry.get -> System.DateTimeOffset?
 Microsoft.Identity.Web.ClientAssertionProviderBase.GetSignedAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<string!>!
 Microsoft.Identity.Web.ManagedIdentityClientAssertion
-Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, Microsoft.Extensions.Logging.ILogger? logger) -> void
-Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) -> void
 Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId) -> void
+Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) -> void
+Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, Microsoft.Extensions.Logging.ILogger? logger) -> void
 override Microsoft.Identity.Web.AzureIdentityForKubernetesClientAssertion.GetClientAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<Microsoft.Identity.Web.ClientAssertion!>!
 override Microsoft.Identity.Web.ManagedIdentityClientAssertion.GetClientAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<Microsoft.Identity.Web.ClientAssertion!>!

src/Microsoft.Identity.Web.Diagnostics/PublicAPI/InternalAPI.Shipped.txt

@@ -11,13 +11,13 @@ static Microsoft.Identity.Web.Diagnostics.OsHelper.IsMacPlatform() -> bool
 static Microsoft.Identity.Web.Diagnostics.OsHelper.IsWindowsPlatform() -> bool
 static Microsoft.Identity.Web.IdHelper.CreateTelemetryInfo() -> string!
 static Microsoft.Identity.Web.IdHelper.GetIdWebVersion() -> string!
-static Microsoft.Identity.Web.Throws.ArgumentException(string! paramName, string? message, System.Exception? innerException) -> void
 static Microsoft.Identity.Web.Throws.ArgumentException(string! paramName, string? message) -> void
-static Microsoft.Identity.Web.Throws.ArgumentNullException(string! paramName, string? message) -> void
+static Microsoft.Identity.Web.Throws.ArgumentException(string! paramName, string? message, System.Exception? innerException) -> void
 static Microsoft.Identity.Web.Throws.ArgumentNullException(string! paramName) -> void
+static Microsoft.Identity.Web.Throws.ArgumentNullException(string! paramName, string? message) -> void
+static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName) -> void
 static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName, object? actualValue, string? message) -> void
 static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName, string? message) -> void
-static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName) -> void
 static Microsoft.Identity.Web.Throws.IfBufferTooSmall(int bufferSize, int requiredSize, string! paramName = "") -> void
 static Microsoft.Identity.Web.Throws.IfMemberNull<TParameter, TMember>(TParameter argument, TMember member, string! paramName = "", string! memberName = "") -> TMember
 static Microsoft.Identity.Web.Throws.IfNull<T>(T argument, string! paramName = "") -> T
@@ -27,5 +27,5 @@ static Microsoft.Identity.Web.Throws.IfNullOrEmpty<T>(System.Collections.Generic
 static Microsoft.Identity.Web.Throws.IfNullOrMemberNull<TParameter, TMember>(TParameter argument, TMember member, string! paramName = "", string! memberName = "") -> TMember
 static Microsoft.Identity.Web.Throws.IfNullOrWhitespace(string? argument, string! paramName = "") -> string!
 static Microsoft.Identity.Web.Throws.IfOutOfRange<T>(T argument, string! paramName = "") -> T
-static Microsoft.Identity.Web.Throws.InvalidOperationException(string! message, System.Exception? innerException) -> void
 static Microsoft.Identity.Web.Throws.InvalidOperationException(string! message) -> void
+static Microsoft.Identity.Web.Throws.InvalidOperationException(string! message, System.Exception? innerException) -> void

src/Microsoft.Identity.Web.GraphServiceClient/PublicAPI/NetCore/PublicAPI.Shipped.txt

@@ -11,9 +11,9 @@ Microsoft.Identity.Web.GraphServiceClientOptions.User.set -> void
 Microsoft.Identity.Web.GraphServiceCollectionExtensions
 Microsoft.Identity.Web.MicrosoftGraphExtensions
 Microsoft.Identity.Web.RequestOptionsExtension
+static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, Microsoft.Extensions.Configuration.IConfiguration! configurationSection) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
-static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, Microsoft.Extensions.Configuration.IConfigurationSection! configurationSection) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
 static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, string! graphBaseUrl = "https://graph.microsoft.com/v1.0", System.Collections.Generic.IEnumerable<string!>? defaultScopes = null) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
 static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!

src/Microsoft.Identity.Web.GraphServiceClient/PublicAPI/NetFramework/PublicAPI.Shipped.txt

@@ -10,9 +10,9 @@ Microsoft.Identity.Web.GraphServiceClientOptions.User.get -> System.Security.Cla
 Microsoft.Identity.Web.GraphServiceClientOptions.User.set -> void
 Microsoft.Identity.Web.GraphServiceCollectionExtensions
 Microsoft.Identity.Web.RequestOptionsExtension
+static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, Microsoft.Extensions.Configuration.IConfiguration! configurationSection) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
-static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.RequestOptionsExtension.WithAppOnly(this System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>! options, bool appOnly = true, string? tenant = null) -> System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>!
 static Microsoft.Identity.Web.RequestOptionsExtension.WithAuthenticationOptions(this System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>! options, Microsoft.Identity.Web.GraphAuthenticationOptions! optionsValue) -> System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>!
 static Microsoft.Identity.Web.RequestOptionsExtension.WithAuthenticationOptions(this System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>! options, System.Action<Microsoft.Identity.Web.GraphAuthenticationOptions!>! optionsValue) -> System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>!

src/Microsoft.Identity.Web.GraphServiceClientBeta/PublicAPI/PublicAPI.Shipped.txt

@@ -1,5 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions
+static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, Microsoft.Extensions.Configuration.IConfiguration! configurationSection) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
-static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!

src/Microsoft.Identity.Web.MicrosoftGraph/PublicAPI/NetCore/PublicAPI.Shipped.txt

@@ -13,8 +13,8 @@ static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationOptions<T>
 static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationScheme<T>(this T baseRequest, string! authenticationScheme) -> T
 static Microsoft.Identity.Web.BaseRequestExtensions.WithScopes<T>(this T baseRequest, params string![]! scopes) -> T
 static Microsoft.Identity.Web.BaseRequestExtensions.WithUser<T>(this T baseRequest, System.Security.Claims.ClaimsPrincipal! user) -> T
-static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
+static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, Microsoft.Extensions.Configuration.IConfigurationSection! configurationSection) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
 static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, string! graphBaseUrl = "https://graph.microsoft.com/v1.0", string! defaultScopes = "user.read") -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
 static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!

src/Microsoft.Identity.Web.MicrosoftGraph/PublicAPI/NetFramework/PublicAPI.Shipped.txt

@@ -12,5 +12,5 @@ static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationOptions<T>
 static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationScheme<T>(this T baseRequest, string! authenticationScheme) -> T
 static Microsoft.Identity.Web.BaseRequestExtensions.WithScopes<T>(this T baseRequest, params string![]! scopes) -> T
 static Microsoft.Identity.Web.BaseRequestExtensions.WithUser<T>(this T baseRequest, System.Security.Claims.ClaimsPrincipal! user) -> T
-static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
 static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
+static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!