Skip to content

Bump Microsoft.Identity.Web and 2 others#71

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/backend/ProjectMetadataPlatform.Application/multi-db8cfcf7c7
Closed

Bump Microsoft.Identity.Web and 2 others#71
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/src/backend/ProjectMetadataPlatform.Application/multi-db8cfcf7c7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Updated Microsoft.Identity.Web from 3.14.1 to 4.10.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.10.0

New features

  • Add WithExtraBodyParameters fluent API for attaching extra body parameters to token acquisition requests. See #​3819.
  • Add IConfidentialClientApplicationProvider extensibility interface and CachePartitionKey support for silent token acquisition. See #​3822.

Bug fixes

  • Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See #​3825.
  • Reject dSTS-shaped Authority values with a clearer exception, steering users to use Instance + TenantId instead. See #​3805.
  • Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See #​3811.

Behavior changes

  • B2C OpenID Connect event handler: LRU cache for issuer address. Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See #​3821.

Dependencies updates

  • Update MSAL.NET to 4.84.1. See #​3822.
  • Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClient. See #​3817.
  • Bump uuid and @​azure/msal-node in SidecarAdapter TypeScript test app. See #​3826.
  • Bump qs in SidecarAdapter TypeScript test app. See #​3829.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

4.4.0-preview.1

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

4.3.0

New features

  • Added token binding (mTLS PoP) scenario for confidential client (app-only) token acquisition and downstream API calls. See #​3622.

Dependencies updates

  • Bumped qs from 6.14.0 to 6.14.1 in /tests/DevApps/SidecarAdapter/typescript. See #​3660.

Documentation

  • Modernized Identity Web documentation, which is now can be found in docs. See #​3566.
  • Added token binding (mTLS PoP) documentation. See #​3661.

4.2.0

What's Changed

New features

  • Added CAE claims support for FIC + Managed Identity. See #​3647 for details.
  • Added AddMicrosoftIdentityMessageHandler extension methods for IHttpClientBuilder. See #​3649 for details.

Bug fixes

  • Fixed tenant not being propagated in credential FIC acquisition. See #​3633 for details.
  • Fixed ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName. See #​3635 for details.
  • Fixed GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties. See #​3651 for details.
  • Added meaningful error message when identity configuration is missing. See #​3637 for details.

Dependencies updates

  • Update Microsoft.Identity.Abstractions to version 10.0.0.
  • Bump express from 5.1.0 to 5.2.0 in /tests/DevApps/SidecarAdapter/typescript. #​3636
  • Bump jws from 3.2.2 to 3.2.3 in /tests/DevApps/SidecarAdapter/typescript. #​3641

Fundamentals

  • Update support policy. #​3656
  • Update agent identity coordinates in E2E tests after deauth. #​3640
  • Update E2E agent identity configuration to new tenant. #​3646

Full Changelog: AzureAD/microsoft-identity-web@4.1.1...4.2.0

4.1.1

Bug fixes

  • Authority-only configuration parsing improvements: Early parsing of Authority into Instance/TenantId and defensive fallback in PrepareAuthorityInstanceForMsal. Behavior is backward compatible; Authority is still ignored when Instance/TenantId explicitly provided—now surfaced via a warning. See #​3612.

New features

  • Added warning diagnostics for conflicting Authority vs Instance/TenantId: Emitting a single structured warning when both styles are provided. See #​3611.

Fundamentals

  • Expanded authority test matrix: Coverage for AAD (v1/v2), B2C (/tfp/ normalization, policy path), CIAM (PreserveAuthority), query parameters, scheme-less forms, and conflict scenarios. See #​3610.

4.1.0

New features

Dependencies updates

  • Bump MSAL.NET to version 4.79.2 and handle changes to deprecated WithExtraQueryParameters APIs. #​3583
  • Update Microsoft.IdentityModel and Abstractions versions. #​3604
  • Update coverlet.collector to 6.0.4. #​3587
  • Update package validation baseline version to 4.0.0. #​3589
  • Bump js-yaml from 4.1.0 to 4.1.1 in /tests/DevApps/SidecarAdapter/typescript. #​3595

Entra ID SDK sidecar

  • Restrict hosts to localhost for sidecar. #​3579
  • Update http file to match endpoints. #​3555
  • Revise sidecar issue template for Entra ID. #​3577

Documentation

  • Update README to include Entra SDK container info. #​3578

Fundamentals

  • Include NET 9.0 in template-install-dependencies. #​3593
  • Fix CodeQL alerts. #​3591
  • Suppression file is needed. #​3592

4.0.1

Bugs fixes

  • Correctly compute Application Key when credential usage fails.
  • Fix bugs where agent user identities didn't work with non-default authentication schemes.

Fundamentals

  • Update .net version to CG compliance

Sidecar

  • Configure Sidecar to default AllowWebApiToBeAuthorizedByACL to true as the container doesn't do authZ

4.0.0

4.0.0

Breaking Changes

Removed support for .NET 6.0 and .NET 7.0 - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.

See MIGRATION_GUIDE_V4

New features

  • Various improvements to performance logging, authentication, and credential loading capabilities.
  • Bumped MSAL.NET to 4.77.1
  • Added credential description extensibility. For details, see #​3487
  • Added a new CerticateObserverAction type: SuccessfullyUsed and support for multiple certificate observers for improved certificate lifecycle management and telemetry. See #​3505
  • Add specification of OID (in addition to upn) when requesting an authorization header for Agent User Identity. See #​3513
  • Added ClaimsPrincipal and ClaimsIdentity extension methods for agent identity detection in web APIs enabling developers to easily detect agent identities and retrieve parent agent blueprint from token claims. See #​3515
  • Added MicrosoftIdentityMessageHandler for flexible HttpClient authentication. Provides composable alternative to DownstreamApi with per-request authentication configuration. Supports WWW-Authenticate challenge handling. See #​3503
  • Support for multiple certificate observers. See #​3506
  • The Microsoft.Identity.Web.Sidecar will provide a container solution for validation and token acquisition in any-language. See #​3524

Bug Fixes

  • Fixed TokenAcquirerFactory null reference when AppContext.BaseDirectory is root path. See #​3443
  • Fixed IDW10405 error when using managed identity with common tenant. See #​3415
  • Removed hard dependency on IConfiguration in OidcIdpSignedAssertionLoader. See #​3414

Fundamentals

  • Various improvements to .NET support and dependency optimizations.
  • Added doc for Agent identities. See Agent identities
  • Combined and fixed test collections. See #​3472
  • Migrate repository agent rules from .clinerules to agents.md. See #​3475
  • Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See #​3489
  • Renamed NET 7 tests to ThreadingTests for framework independence. See #​3501

3.15.0

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3785.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-, Proxy-, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Updated MSAL.NET 4.76.0 → 4.83.1
  • Bump System.Security.Cryptography.Pkcs and System.Security.Cryptography.Xml to latest patched versions. See #​3799.

Full Changelog: 3.14.1...3.15.0 (AzureAD/microsoft-identity-web@3.14.1...3.15.0)

Commits viewable in compare view.

Updated Microsoft.IdentityModel.Tokens from 7.1.2 to 8.19.1.

Release notes

Sourced from Microsoft.IdentityModel.Tokens's releases.

8.19.1

Bug Fixes

  • Update JwtSecurityTokenHandler for IssuerSigningKeyResolverUsingConfiguration to take priority over IssuerSigningKeyResolver, matching the documented contract and the correct behavior already present in JsonWebTokenHandler. See PR #​3519.

8.19.0

New Features

  • Add ML-DSA (FIPS 204) post-quantum signature support. See PR #​3479.
  • Cache custom crypto providers in CryptoProviderFactory. See PR #​3489.

Bug Fixes

  • Disable automatic redirects on default HttpClient for JKU retrieval. See PR #​3494.
  • Adjust rented buffer handling in claim set parsing. See PR #​3493.
  • Tidy null handling in SAML conditions validation. See PR #​3491.
  • Improve validation of jku claim. See PR #​3481.
  • Limit telemetry algorithm dimension cardinality. See PR #​3490.
  • Add defensive copy of collections in ValidationParameters. See PR #​3492.
  • Update TokenValidationParameter copy constructor to make a deep copy. See PR #​3488.
  • Update to fail-closed when replay protection isn't configured and other DPoP hardening. See PR #​3505.
  • Apply RFC 3986 section 6.2.2 normalization to DPoP htu comparison. See PR #​3509.

8.18.0

New Features

  • Introduced a new interface IConfigurationEventHandlerContextAware<T> that provides context to the configuration event handler implementation, allowing it to optionally bypass a cache lookup. See PR #​3444.
  • Added Microsoft.IdentityModel.Dpop — a new package implementing DPoP (Demonstrating Proof-of-Possession) per RFC 9449. Provides both client-side and server-side proof validation with no System.Net.Http dependency. See PR #​3443.

8.17.0

Dependencies

  • Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #​3435.

8.16.0

New Features

  • Add telemetry around signature validation. See PR #​3415 for details.

Fundamentals

  • Fix FileVersion format to use two-digit year and day of year. See PR #​3389 for details.

8.15.0

New Features

  • Add ECDsa support in X509SecurityKey and JsonWebKeyConverter.ConvertFromX509SecurityKey
    Extended X509SecurityKey and JsonWebKeyConverter.ConvertFromX509SecurityKey to support ECDSA keys.
    See PR #​2377 for details.

Bug Fixes

  • Sanitize logs to avoid leaking sensitive data
    Updated logging to sanitize sensitive values, reducing the risk of inadvertently exposing secrets or PII in logs.
    See PR #​3316 for details.
  • Optimize log sanitization with SearchValues
    Improved the performance of the log sanitization logic introduced earlier by using SearchValues, making sanitization more efficient in high-throughput scenarios.
    See PR #​3341 for details.
  • Update test for IDX10400
    Adjusted the IDX10400 test to align with the current behavior and error messaging.
    See PR #​3314 for details.

Fundamentals

  • Add supported algorithm tests
    Added new tests to validate the set of supported cryptographic algorithms, increasing confidence in algorithm coverage and compatibility.
    See PR #​3296 for details.
  • Migrate repository agent rules from .clinerules to agents.md
    Moved repository agent/AI-assist rules into markdown documentation to make them more visible and easier to maintain.
    See PR #​3313 for details.
  • Migrate Microsoft.IdentityModel.TestExtensions from Newtonsoft.Json to System.Text.Json
    Updated Microsoft.IdentityModel.TestExtensions to use System.Text.Json instead of Newtonsoft.Json, aligning tests with the runtime serialization stack.
    See PR #​3356 for details.
  • Disable code coverage comments
    Turned off automated code coverage comments on PRs to reduce noise while retaining coverage data elsewhere.
    See PR #​3349 for details.
  • Fix CodeQL alerts
    Addressed CodeQL-reported issues to improve security posture and static analysis cleanliness.
    See PR #​3364 for details.

.NET 10 / SDK and tooling updates

  • Building with .NET 10 preview / RC 1
    Updated the repository to build and test against .NET 10.0 preview/RC1, ensuring early compatibility with the upcoming runtime.
    See PRs #​3287, #​3357, and #​3358 for details.
  • Fix .NET 10 test execution consistency
    Ensured consistent use of the TargetNetNext parameter across build, test, and pack phases so .NET 10.0 tests execute reliably.
    See PR #​3337 for details.
  • Update project files and workflows for .NET 10.0 compatibility
    Adjusted project files and CI workflows to correctly target and run on .NET 10.0, including test and pack scenarios.
    See PR #​3363 for details.
  • Update .NET version to meet CG compliance
    Updated the .NET version references to be compliant with corporate governance (CG) requirements.
    See PR #​3353 for details.
  • Update Coverlet collector and test SDK
    • Bumped CoverletCollectorVersion to 6.0.4.
      See PR #​3333 for details.
    • Upgraded Microsoft.NET.Test.Sdk to a newer version for improved test reliability and tooling support.
      ... (truncated)

8.14.0

8.14.0

Bug Fixes

  • Switch back to use ValidationResult instead of OperationResult when validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See #​3299 for details.

8.13.1

8.13.1

Dependencies

Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0

Bug Fixes

  • Fixed a decompression failure happening for large JWE payloads. See #​3286 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

  • Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See #​3284 for details.

8.13.0

8.13.0

8.13.0

Fundamentals

  • CaseSensitiveClaimsIdentity.SecurityToken setter is now protected internal (was internal). See PR #​3278 for details.
  • Update .NET SDK version to 9.0.108 used when building or running the code. See PR #​3274 for details.
  • Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See #​3280 for details.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.12.1...8.13.0

8.12.1

8.12.1

Fundamentals

  • Update .NET SDK version to 9.0.107 used when building or running the code. See #​3263 for details.
  • To keep our experimental code separate from production code, all files associated with experimental features have been moved to the Experimental folders. See PR #​3261 for details.
  • Experimental code leaked into TokenValidationResult from early prototypes. See PR #​3259 for details.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.12.0...8.12.1

8.12.0

8.12.0

New Features

  • Enhance ConfigurationManager with event handling
    Added event handling capabilities to the ConfigurationManager, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see #​3253

Bug Fixes

  • Add expected Base64UrlEncoder.Decode overload for NET6 and 8
    Introduced the expected overload of Base64UrlEncoder.Decode for .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks.
    For details see #​3249

Fundamentals

  • Add AI assist rules
    Incorporated AI assist rules to enhance AI agents effectiveness.
    For details see #​3255
  • Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0
    Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
    For details see #​3256
  • Move suppression of RS006 to csproj
    Centralized suppression of RS006 warnings in project files for easier management.
    For details see #​3230

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.11.0...8.12.0

8.11.0

8.11.0

New Features:

  • Microsoft.IdentityModel now exposes the AadIssuerValidator factory method publicly to enable caching functionality for AadIssuerValidator instances. See issue #​3245 for details.
  • Added a new public async API: JsonWebTokenHandler.DecryptTokenWithConfigurationAsync, which decrypts a JWE token using keys from either TokenValidationParameters or, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR #​3243 for details.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.10.0...8.11.0

8.10.0

8.10.0

Bug Fixes

  • Corrected casing of the Type attribute in SubjectConfirmationData. See #​3206.
  • Removed Microsoft.Bcl.Memory dependency for pre-.NET 9.0 targets. See #​3220.
  • Aligned Microsoft.Extensions.Logging.Abstractions version to 8.0.0 for .NET 9 to match other targets. See #​3226.

Fundamentals

8.9.0

8.9.0

Bug Fixes

New Features

Fundamentals

8.8.0

8.8.0

New Features

  • Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #​3193 for details.
  • Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the Switch.Microsoft.IdentityModel.DoNotScrubExceptions AppContextSwitch. See PR #​3195 and https://aka.ms/identitymodel/app-context-switches for details.
  • Change all plain object locks to System.Thread.Lock objects for .NET 9 or greater. See PRs #​3185 and #​3189 for details.

8.7.0

Bug Fixes

  • Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #​3181.

New Features

  • Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #​3165.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.6.1...8.7.0

8.6.1

8.6.1

Bug fix

  • Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #​3148 for details.
  • Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #​3003 for details.

Fundamentals

  • For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #​2995 for details.

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.6.0...8.6.1

8.6.0

8.6.0

New Features

  • TokenValidationParameters has a new boolean property TryAllDecryptionKeys that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #​3128
  • Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See #​3140

Fundamentals

  • Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See 3143
  • Add more tests for encrypted tokens. See #​3139

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.5.0...8.6.0

8.5.0

8.5.0

Reverting previous breaking change

  • The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that adding IDisposable is a breaking change, so we are following semver guidance and reverting and releasing a minor version (8.5.0).
  • Cherry-picked Changes: Included changes from PR #​3022 and #​3104.

What's Changed

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.4.0...8.5.0

8.4.0

8.4.0

New Features

  • App context switch allows blocking or non-blocking calls for configuration. See PR #​3106 for details and issue #​3082 for details. If you are not using the ConfigurationManager as a singleton and not using the blocking option, you may need to call ShutdownBackgroundTask() to stop the background task to avoid leaking Tasks.
  • IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See #​3094 for details.
  • IdentityModel now allows specifying the HTTP protocol version and version policy. See #​2808 for details.

Repair items

  • Add request count and duration telemetry for configuration requests. See #​3022 for details.
  • KeyID should be present in exception messages and is no longer PII. See #​3104 for details.

Fundamentals

  • Fix spelling issues in xml comments. See #​3117 for details.
  • Fix comment coverage in PR builds. See #​3079 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

8.3.1

8.3.1

Bug Fixes

  • Respect TVP.RequireAudience when set to false. See #​3055
  • For net4.6.2 select RSACng for PSS support. See #​3097
  • Fix package downgrade in consuming libraries. See#​3062
  • Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

  • Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
  • Upgrade to C# 13. See #​2998
  • Use new Base64Url API. See #​22817
  • Add warning quality check. See #​3067
  • Update dotnet actions. see #​3074
  • Fix warnings. See #​3081
  • Test updates in JsonWebToken. See #​3080.

Work related to redesign of IdentityModel's token validation logic #​2711

What's Changed

Description has been truncated

@dependabot
Bump Microsoft.Identity.Web and 2 others
740da40 
Bumps Microsoft.Identity.Web from 3.14.1 to 4.10.0
Bumps Microsoft.IdentityModel.Tokens to 8.18.0, 8.19.1
Bumps System.IdentityModel.Tokens.Jwt to 8.18.0, 8.19.1

---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.10.0
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-version: 8.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-version: 8.19.1
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-version: 8.19.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.19.1
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.19.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot mentioned this pull request Jun 8, 2026
Closed
@dependabot @github

dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are no longer a dependency, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 8, 2026
@dependabot dependabot Bot deleted the dependabot/nuget/src/backend/ProjectMetadataPlatform.Application/multi-db8cfcf7c7 branch June 8, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend dependencies dotnet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants