Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Directory.Build.props
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<!-- This needs to be greater than or equal to the validation baseline version. The conditional logic around TargetNetNext is there
to avoid NU5104 for packing a release version library with prerelease deps. By adding preview to it, that warning is avoided.
-->
<MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.8.1</MicrosoftIdentityWebVersion>
<MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.9.1</MicrosoftIdentityWebVersion>
<!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
<Version>$(MicrosoftIdentityWebVersion)</Version>
<EnablePackageValidation>true</EnablePackageValidation>
Expand Down
17 changes: 17 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,20 @@
## 4.9.0

### New features
- **Sidecar: per-route override gating.** New `Sidecar:AllowOverrides` configuration section provides explicit, per-route control over whether `optionsOverride.*` query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. `optionsOverride.BaseUrl` is unconditionally rejected on all routes as a hardening measure. See [#3794](https://github.com/AzureAD/microsoft-identity-web/pull/3794).

### Bug fixes
- Fix `AccountController.Challenge` redirect URI validation to reject percent-encoded protocol-relative bypasses (`%2F%2F`, `%5C%2F`, etc.) that could be decoded by misconfigured reverse proxies. See [#3792](https://github.com/AzureAD/microsoft-identity-web/pull/3792).

### Behavior changes
- **DownstreamApi: reserved header filtering.** Headers supplied via `DownstreamApiOptions.ExtraHeaderParameters` whose names match reserved HTTP headers (`Authorization`, `Host`, `Content-Length`, `Proxy-Authorization`, `Sec-*`, `Proxy-*`, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (`ReservedHeaderIgnored` / `DuplicateHeaderIgnored`) is emitted so operators can spot misconfigurations. No exception is thrown. See [#3793](https://github.com/AzureAD/microsoft-identity-web/pull/3793).

### Dependencies updates
- **Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.\* 8.0.x minimum on older TFMs.** Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on `Microsoft.Extensions.DependencyInjection.Abstractions` 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a `CS0433` type collision with the previously-pinned `Microsoft.Extensions.DependencyInjection` 2.1.0. Rather than patch individual packages, the entire `Microsoft.Extensions.*` stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. **If your application targets net462, net472, or netstandard2.0**, your resolved `Microsoft.Extensions.*` versions will increase (e.g., `Extensions.Http` 3.1.3 → 8.0.0, `Extensions.DependencyInjection` 2.1.0 → 8.0.0, `Extensions.Caching.Memory` 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See [#3787](https://github.com/AzureAD/microsoft-identity-web/pull/3787).
Comment thread
Avery-Dunn marked this conversation as resolved.
Outdated
- Bump `System.Text.Json` 8.0.5 → 8.0.6 (CVE-2024-43485). See [#3787](https://github.com/AzureAD/microsoft-identity-web/pull/3787).
- Bump `Microsoft.AspNetCore.DataProtection` to 10.0.7 for CVE fix on net10.0. See [#3796](https://github.com/AzureAD/microsoft-identity-web/pull/3796).
- Bump `OpenTelemetry.Exporter.OpenTelemetryProtocol` 1.14.0 → 1.15.3. See [#3788](https://github.com/AzureAD/microsoft-identity-web/pull/3788).

## 4.8.0

### New features
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ Microsoft.Identity.Web.DefaultCredentialsLoader.LoadFirstValidCredentialsAsync(S
Microsoft.Identity.Web.DefaultCredentialsLoader.ResetCredentials(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.CredentialDescription!>! credentialDescriptions) -> void
Microsoft.Identity.Web.ICertificateLoader
Microsoft.Identity.Web.ICertificateLoader.LoadIfNeeded(Microsoft.Identity.Web.CertificateDescription! certificateDescription) -> void
static Microsoft.Identity.Web.CertificateDescription.FromBase64Encoded(string! base64EncodedValue, string! password) -> Microsoft.Identity.Web.CertificateDescription!
static Microsoft.Identity.Web.CertificateDescription.FromBase64Encoded(string! base64EncodedValue) -> Microsoft.Identity.Web.CertificateDescription!
static Microsoft.Identity.Web.CertificateDescription.FromBase64Encoded(string! base64EncodedValue, string! password) -> Microsoft.Identity.Web.CertificateDescription!
static Microsoft.Identity.Web.CertificateDescription.FromCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2! x509certificate2) -> Microsoft.Identity.Web.CertificateDescription!
static Microsoft.Identity.Web.CertificateDescription.FromKeyVault(string! keyVaultUrl, string! keyVaultCertificateName) -> Microsoft.Identity.Web.CertificateDescription!
static Microsoft.Identity.Web.CertificateDescription.FromPath(string! path, string? password = null) -> Microsoft.Identity.Web.CertificateDescription!
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ Microsoft.Identity.Web.ClientAssertionProviderBase.ClientAssertionProviderBase()
Microsoft.Identity.Web.ClientAssertionProviderBase.Expiry.get -> System.DateTimeOffset?
Microsoft.Identity.Web.ClientAssertionProviderBase.GetSignedAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<string!>!
Microsoft.Identity.Web.ManagedIdentityClientAssertion
Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, Microsoft.Extensions.Logging.ILogger? logger) -> void
Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) -> void
Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId) -> void
Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) -> void
Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, Microsoft.Extensions.Logging.ILogger? logger) -> void
override Microsoft.Identity.Web.AzureIdentityForKubernetesClientAssertion.GetClientAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<Microsoft.Identity.Web.ClientAssertion!>!
override Microsoft.Identity.Web.ManagedIdentityClientAssertion.GetClientAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<Microsoft.Identity.Web.ClientAssertion!>!
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ static Microsoft.Identity.Web.Diagnostics.OsHelper.IsMacPlatform() -> bool
static Microsoft.Identity.Web.Diagnostics.OsHelper.IsWindowsPlatform() -> bool
static Microsoft.Identity.Web.IdHelper.CreateTelemetryInfo() -> string!
static Microsoft.Identity.Web.IdHelper.GetIdWebVersion() -> string!
static Microsoft.Identity.Web.Throws.ArgumentException(string! paramName, string? message, System.Exception? innerException) -> void
static Microsoft.Identity.Web.Throws.ArgumentException(string! paramName, string? message) -> void
static Microsoft.Identity.Web.Throws.ArgumentNullException(string! paramName, string? message) -> void
static Microsoft.Identity.Web.Throws.ArgumentException(string! paramName, string? message, System.Exception? innerException) -> void
static Microsoft.Identity.Web.Throws.ArgumentNullException(string! paramName) -> void
static Microsoft.Identity.Web.Throws.ArgumentNullException(string! paramName, string? message) -> void
static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName) -> void
static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName, object? actualValue, string? message) -> void
static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName, string? message) -> void
static Microsoft.Identity.Web.Throws.ArgumentOutOfRangeException(string! paramName) -> void
static Microsoft.Identity.Web.Throws.IfBufferTooSmall(int bufferSize, int requiredSize, string! paramName = "") -> void
static Microsoft.Identity.Web.Throws.IfMemberNull<TParameter, TMember>(TParameter argument, TMember member, string! paramName = "", string! memberName = "") -> TMember
static Microsoft.Identity.Web.Throws.IfNull<T>(T argument, string! paramName = "") -> T
Expand All @@ -27,5 +27,5 @@ static Microsoft.Identity.Web.Throws.IfNullOrEmpty<T>(System.Collections.Generic
static Microsoft.Identity.Web.Throws.IfNullOrMemberNull<TParameter, TMember>(TParameter argument, TMember member, string! paramName = "", string! memberName = "") -> TMember
static Microsoft.Identity.Web.Throws.IfNullOrWhitespace(string? argument, string! paramName = "") -> string!
static Microsoft.Identity.Web.Throws.IfOutOfRange<T>(T argument, string! paramName = "") -> T
static Microsoft.Identity.Web.Throws.InvalidOperationException(string! message, System.Exception? innerException) -> void
static Microsoft.Identity.Web.Throws.InvalidOperationException(string! message) -> void
static Microsoft.Identity.Web.Throws.InvalidOperationException(string! message, System.Exception? innerException) -> void
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ Microsoft.Identity.Web.GraphServiceClientOptions.User.set -> void
Microsoft.Identity.Web.GraphServiceCollectionExtensions
Microsoft.Identity.Web.MicrosoftGraphExtensions
Microsoft.Identity.Web.RequestOptionsExtension
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, Microsoft.Extensions.Configuration.IConfiguration! configurationSection) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, Microsoft.Extensions.Configuration.IConfigurationSection! configurationSection) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, string! graphBaseUrl = "https://graph.microsoft.com/v1.0", System.Collections.Generic.IEnumerable<string!>? defaultScopes = null) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ Microsoft.Identity.Web.GraphServiceClientOptions.User.get -> System.Security.Cla
Microsoft.Identity.Web.GraphServiceClientOptions.User.set -> void
Microsoft.Identity.Web.GraphServiceCollectionExtensions
Microsoft.Identity.Web.RequestOptionsExtension
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, Microsoft.Extensions.Configuration.IConfiguration! configurationSection) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.RequestOptionsExtension.WithAppOnly(this System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>! options, bool appOnly = true, string? tenant = null) -> System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>!
static Microsoft.Identity.Web.RequestOptionsExtension.WithAuthenticationOptions(this System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>! options, Microsoft.Identity.Web.GraphAuthenticationOptions! optionsValue) -> System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>!
static Microsoft.Identity.Web.RequestOptionsExtension.WithAuthenticationOptions(this System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>! options, System.Action<Microsoft.Identity.Web.GraphAuthenticationOptions!>! optionsValue) -> System.Collections.Generic.IList<Microsoft.Kiota.Abstractions.IRequestOption!>!
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#nullable enable
Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions
static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, Microsoft.Extensions.Configuration.IConfiguration! configurationSection) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.GraphServiceClientOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphBetaServiceCollectionExtensions.AddMicrosoftGraphBeta(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationOptions<T>
static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationScheme<T>(this T baseRequest, string! authenticationScheme) -> T
static Microsoft.Identity.Web.BaseRequestExtensions.WithScopes<T>(this T baseRequest, params string![]! scopes) -> T
static Microsoft.Identity.Web.BaseRequestExtensions.WithUser<T>(this T baseRequest, System.Security.Claims.ClaimsPrincipal! user) -> T
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, Microsoft.Extensions.Configuration.IConfigurationSection! configurationSection) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, string! graphBaseUrl = "https://graph.microsoft.com/v1.0", string! defaultScopes = "user.read") -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
static Microsoft.Identity.Web.MicrosoftGraphExtensions.AddMicrosoftGraph(this Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder! builder, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Identity.Web.MicrosoftIdentityAppCallsWebApiAuthenticationBuilder!
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,5 @@ static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationOptions<T>
static Microsoft.Identity.Web.BaseRequestExtensions.WithAuthenticationScheme<T>(this T baseRequest, string! authenticationScheme) -> T
static Microsoft.Identity.Web.BaseRequestExtensions.WithScopes<T>(this T baseRequest, params string![]! scopes) -> T
static Microsoft.Identity.Web.BaseRequestExtensions.WithUser<T>(this T baseRequest, System.Security.Claims.ClaimsPrincipal! user) -> T
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Microsoft.Identity.Web.GraphServiceCollectionExtensions.AddMicrosoftGraph(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Web.MicrosoftGraphOptions!>! configureMicrosoftGraphOptions) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
Loading
Loading