Bump Microsoft.Identity.Web and Microsoft.IdentityModel.Protocols.OpenIdConnect

[dependabot]

Updated Microsoft.Identity.Web from 4.7.0 to 4.10.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.10.0

New features

• Add WithExtraBodyParameters fluent API for attaching extra body parameters to token acquisition requests. See #​3819.
• Add IConfidentialClientApplicationProvider extensibility interface and CachePartitionKey support for silent token acquisition. See #​3822.

Bug fixes

• Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See #​3825.
• Reject dSTS-shaped Authority values with a clearer exception, steering users to use Instance + TenantId instead. See #​3805.
• Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See #​3811.

Behavior changes

• B2C OpenID Connect event handler: LRU cache for issuer address. Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See #​3821.

Dependencies updates

• Update MSAL.NET to 4.84.1. See #​3822.
• Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClient. See #​3817.
• Bump uuid and @​azure/msal-node in SidecarAdapter TypeScript test app. See #​3826.
• Bump qs in SidecarAdapter TypeScript test app. See #​3829.

4.9.0

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

• Bump flatted from 3.3.3 to 3.4.2 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump flatted from 3.3.3 to 3.4.2 in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3753
• Update changelog.md for ID.Web 4.6.0 by @​bgavrilMS in Update changelog.md for ID.Web 4.6.0 AzureAD/microsoft-identity-web#3756
• Add token binding to MicrosoftIdentityMessageHandler by @​cpp11nullptr in Add token binding to MicrosoftIdentityMessageHandler AzureAD/microsoft-identity-web#3743
• Bump picomatch in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump picomatch in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3759
• Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments by @​Copilot in Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments AzureAD/microsoft-identity-web#3585
• Bump path-to-regexp from 8.3.0 to 8.4.0 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump path-to-regexp from 8.3.0 to 8.4.0 in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3762
• Upgrade Microsoft Application Insights packages by @​RojaEnnam in Upgrade Microsoft Application Insights packages AzureAD/microsoft-identity-web#3763
• Use Abstractions 12 by @​pmaytak in Use Abstractions 12 AzureAD/microsoft-identity-web#3761
• Post-4.7.0 by @​pmaytak in Post-4.7.0 AzureAD/microsoft-identity-web#3768
• Fix Comp Gov DOTNET-Security-10.0 by @​reginayap8 in Fix Comp Gov DOTNET-Security-10.0 AzureAD/microsoft-identity-web#3769
• Upgrade CodeQL to V4: Fix 10 CodeQL Analysis Warnings and Errors by @​reginayap8 in Upgrade CodeQL to V4: Fix 10 CodeQL Analysis Warnings and Errors AzureAD/microsoft-identity-web#3770
• fix warnings by @​gladjohn in fix warnings AzureAD/microsoft-identity-web#3771
• adding examples for using postgres as a distributed cache by @​JaredMSFT in adding examples for using postgres as a distributed cache AzureAD/microsoft-identity-web#3766
• Suppress AOT configuration-binding SYSLIB warnings in AotCompatibility test app by @​Copilot in Suppress AOT configuration-binding SYSLIB warnings in AotCompatibility test app AzureAD/microsoft-identity-web#3774
• Bump vite from 7.1.11 to 7.3.2 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump vite from 7.1.11 to 7.3.2 in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3772
• Skip legacy B2C local-account Todo UI test in WebAppUiTests by @​Copilot in Skip legacy B2C local-account Todo UI test in WebAppUiTests AzureAD/microsoft-identity-web#3778
• Fix initialization of ConfidentialClientApplicationOptions in MergedOptions by @​cpp11nullptr in Fix initialization of ConfidentialClientApplicationOptions in MergedOptions AzureAD/microsoft-identity-web#3760
• Bump net8/net9/net10 runtime package baselines to patched crypto servicing versions by @​Copilot in Bump net8/net9/net10 runtime package baselines to patched crypto servicing versions AzureAD/microsoft-identity-web#3779
• Fix flaky certificate test failures on CI by @​gladjohn in Fix flaky certificate test failures on CI AzureAD/microsoft-identity-web#3780
• MTLS Without Tokens Support by @​tlupes in MTLS Without Tokens Support - DownstreamApi AzureAD/microsoft-identity-web#3747
• Fix CredentialsProvider DI lifetime mismatch causing startup crash in Development by @​Avery-Dunn in Fix CredentialsProvider DI lifetime mismatch causing startup crash in Development AzureAD/microsoft-identity-web#3783
• Remove unused DataProtection configuration from Sidecar by @​Copilot in Remove unused DataProtection configuration from Sidecar AzureAD/microsoft-identity-web#3776

New Contributors

• @​RojaEnnam made their first contribution in Upgrade Microsoft Application Insights packages AzureAD/microsoft-identity-web#3763
• @​reginayap8 made their first contribution in Fix Comp Gov DOTNET-Security-10.0 AzureAD/microsoft-identity-web#3769
• @​JaredMSFT made their first contribution in adding examples for using postgres as a distributed cache AzureAD/microsoft-identity-web#3766

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

Commits viewable in compare view.

Updated Microsoft.IdentityModel.Protocols.OpenIdConnect from 8.15.0 to 8.18.0.

Release notes

Sourced from Microsoft.IdentityModel.Protocols.OpenIdConnect's releases.

8.18.0

New Features

• Introduced a new interface IConfigurationEventHandlerContextAware<T> that provides context to the configuration event handler implementation, allowing it to optionally bypass a cache lookup. See PR #​3444.
• Added Microsoft.IdentityModel.Dpop — a new package implementing DPoP (Demonstrating Proof-of-Possession) per RFC 9449. Provides both client-side and server-side proof validation with no System.Net.Http dependency. See PR #​3443.

8.17.0

Dependencies

• Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #​3435.

8.16.0

New Features

• Add telemetry around signature validation. See PR #​3415 for details.

Fundamentals

• Fix FileVersion format to use two-digit year and day of year. See PR #​3389 for details.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)