Skip to content

Bump Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0#796

Merged
UncleDave merged 1 commit into
mainfrom
dependabot/nuget/bot/src/ChampionsOfKhazad.Bot.Portal/Auth0.AspNetCore.Authentication-1.8.0
Jun 29, 2026
Merged

Bump Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0#796
UncleDave merged 1 commit into
mainfrom
dependabot/nuget/bot/src/ChampionsOfKhazad.Bot.Portal/Auth0.AspNetCore.Authentication-1.8.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Updated Auth0.AspNetCore.Authentication from 1.7.0 to 1.8.0.

Release notes

Sourced from Auth0.AspNetCore.Authentication's releases.

1.8.0

Added

  • Multi-Resource Refresh Token (MRRT) support #​249, #​251 (kailash-b) - applications can now obtain access tokens for additional audiences and scopes on demand by exchanging the session's refresh token, without forcing the user through another interactive login.
    • New HttpContext.GetAccessTokenAsync(AccessTokenRequest) extension returns an access token for a requested audience and/or scope, served from the session cache when possible and otherwise via a refresh-token exchange.
    • Configure default scopes per audience with Auth0WebAppWithAccessTokenOptions.ScopeByAudience.
    • The new OnAccessTokenRefreshFailed event surfaces refresh failures, letting callers distinguish terminal failures (warranting re-login) from transient ones.
    • MFA challenge handling - when a refresh requires MFA, a new MfaRequiredException surfaces the challenge, and IAuthenticationApiClient (registered via WithAuthenticationApiClient()) lets the application complete OTP, OOB, or recovery-code grants and manage authenticators.
  • Configurable access-token expiration leeway #​247 (kailash-b) - new Auth0WebAppWithAccessTokenOptions.AccessTokenExpirationLeeway (TimeSpan, default 60s) controls how far ahead of expiry the SDK proactively refreshes the access token. Previously hard-coded to 60 seconds; the default preserves prior behavior. Applies to both primary and additional (MRRT) cached tokens, and only takes effect when UseRefreshTokens is enabled.
  • Configurable server-side session store #​246 (kailash-b) - new WithSessionStore method on Auth0WebAppAuthenticationBuilder stores the authentication session server-side (via ITicketStore) instead of in the cookie. It attaches the store to the SDK's own resolved cookie scheme, so it works even with a custom CookieAuthenticationScheme. Two overloads are provided: WithSessionStore<TStore>() (resolved from DI) and WithSessionStore(ITicketStore instance). Opt-in and additive; the default stateless cookie session is unchanged.

Fixed

  • Remove duplicate trailing slash from client_assertion audience #​236 (samjetski) - fixes a regression introduced in 1.7.0 (#​206) where the Private Key JWT client assertion aud claim was built as https://{tenant}// (double slash), causing Auth0's /oauth/token endpoint to reject the assertion with 401 invalid_client and leaving affected apps (any using ClientAssertionSecurityKey) in a callback loop.
  • Wire OnValidatePrincipal to the configured cookie scheme #​248 (kailash-b) - fixes a scheme mismatch where the access-token refresh hook was registered against the default "Cookies" scheme rather than the configured CookieAuthenticationScheme.

Security

  • Bump dependencies #​250 (kailash-b) - consolidates several Dependabot bumps (supersedes #​240, #​242, #​243, #​244): Microsoft.IdentityModel.Protocols.OpenIdConnect 8.18.0 → 8.19.1, Microsoft.AspNetCore.Mvc.Testing 10.0.8 → 10.0.9, Microsoft.AspNetCore.Mvc.ViewFeatures 2.3.10 → 2.3.11, System.Text.Encodings.Web 10.0.8 → 10.0.9.
  • Pin GitHub Actions to commit SHAs #​241 (jcchavezs) - pins all third-party actions in the workflow files to commit SHAs for improved supply-chain security and reproducibility.

1.7.1

Security

Commits viewable in compare view.

@dependabot dependabot Bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels Jun 29, 2026
---
updated-dependencies:
- dependency-name: Auth0.AspNetCore.Authentication
  dependency-version: 1.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/nuget/bot/src/ChampionsOfKhazad.Bot.Portal/Auth0.AspNetCore.Authentication-1.8.0 branch from 1073bc9 to 40961c7 Compare June 29, 2026 12:15
@UncleDave
UncleDave merged commit 5e2fdfb into main Jun 29, 2026
6 checks passed
@UncleDave
UncleDave deleted the dependabot/nuget/bot/src/ChampionsOfKhazad.Bot.Portal/Auth0.AspNetCore.Authentication-1.8.0 branch June 29, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant