Skip to content

Bump Auth0.AspNetCore.Authentication from 1.7.1 to 1.9.0#246

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/ShortenUrl/Auth0.AspNetCore.Authentication-1.9.0
Open

Bump Auth0.AspNetCore.Authentication from 1.7.1 to 1.9.0#246
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/ShortenUrl/Auth0.AspNetCore.Authentication-1.9.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Updated Auth0.AspNetCore.Authentication from 1.7.1 to 1.9.0.

Release notes

Sourced from Auth0.AspNetCore.Authentication's releases.

1.9.0

Added

  • Token Vault support #​255 (kailash-b) - web apps can now obtain a third-party API access token for a federated connection (e.g. Google, GitHub, Slack) on behalf of the logged-in user by exchanging the session's refresh token, without running a separate provider OAuth flow.
    • New HttpContext.GetAccessTokenForConnectionAsync(AccessTokenForConnectionRequest, string? scheme = null) extension serves an unexpired connection token from the session cache when possible, and otherwise exchanges the refresh token and persists the result.
    • AccessTokenForConnectionRequest carries Connection (required), an optional LoginHint (the provider-side IdP user ID), and ForceRefresh to bypass the cache.
    • Returns null rather than throwing when no refresh token is present (fires OnMissingRefreshToken) or the exchange is rejected (fires OnAccessTokenRefreshFailed).
  • Custom Token Exchange support #​258 (kailash-b) - applications can exchange an existing external/custom security token for Auth0 tokens without a browser redirect (RFC 8693), enabling delegation/impersonation and agent-identity scenarios. Requires a Custom Token Exchange Profile and a validation Action configured in the tenant.
    • New HttpContext.CustomTokenExchangeAsync(CustomTokenExchangeRequest) extension performs the exchange. CustomTokenExchangeRequest takes SubjectToken and SubjectTokenType (required), plus optional Audience, Scope, an ActorToken/ActorTokenType delegation pair, and Organization.
    • CustomTokenExchangeResult returns the exchanged tokens (AccessToken, IdToken, RefreshToken, ExpiresIn, Scope) and the decoded act (actor) claim for delegation flows.
    • Stateless by design - the exchange returns tokens but has no session side-effects: it does not sign the user in or write any cookie, leaving the caller to decide what to persist.
    • Client-side validation runs before any network call (subject_token must be non-empty and un-prefixed; subject_token_type must be a valid 10–100 character URI, rejecting the reserved urn:ietf: and urn:auth0: namespaces; an actor token requires its matching type). Failures surface as CustomTokenExchangeException, which carries StatusCode, Error, and ErrorDescription but never token-bearing bytes.
  • Claims refresh and OnTokensRefreshed event on token refresh #​254 (kailash-b) - previously, refreshing an expired access token persisted the new tokens but left the ClaimsPrincipal at its login-time snapshot for the life of the refresh token. Two opt-in additions let applications react to a successful primary refresh (fixes #​174).
    • New Auth0WebAppWithAccessTokenOptions.RebuildPrincipalOnRefresh (default false) rebuilds the ClaimsPrincipal from the refreshed id_token so User.Claims and User.Identity.Name reflect current user information.
    • New Auth0WebAppWithAccessTokenOptions.RefreshClaimsValidationType controls how the refreshed id_token is validated before its claims replace the principal (only consulted when RebuildPrincipalOnRefresh is true): Full (default) validates signature against the cached JWKS plus issuer/audience and business-rule checks, while SkipSignature trusts the back-channel TLS exchange and runs only the business-rule checks.
    • New Auth0WebAppWithAccessTokenEvents.OnTokensRefreshed event fires after every successful primary refresh; the AccessTokenRefreshedContext carries the refreshed AccessToken, IdToken, RefreshToken (null when not rotated), and ExpiresAt. It fires independently of RebuildPrincipalOnRefresh, and after the principal is rebuilt when both are used.
    • Graceful degradation - if the refresh succeeds but rebuilding the principal fails (signature failure, malformed token, or business-rule failure), the SDK keeps the refreshed tokens, retains the existing (stale) principal, logs a warning, and still fires OnTokensRefreshed.
    • Both additions apply only to the primary (login-time) refresh path; tokens fetched for additional audiences via MRRT do not rebuild the principal or fire OnTokensRefreshed.

1.8.0

Added

  • Multi-Resource Refresh Token (MRRT) support #​249, #​251 (kailash-b) - applications can now obtain access tokens for additional audiences and scopes on demand by exchanging the session's refresh token, without forcing the user through another interactive login.
    • New HttpContext.GetAccessTokenAsync(AccessTokenRequest) extension returns an access token for a requested audience and/or scope, served from the session cache when possible and otherwise via a refresh-token exchange.
    • Configure default scopes per audience with Auth0WebAppWithAccessTokenOptions.ScopeByAudience.
    • The new OnAccessTokenRefreshFailed event surfaces refresh failures, letting callers distinguish terminal failures (warranting re-login) from transient ones.
    • MFA challenge handling - when a refresh requires MFA, a new MfaRequiredException surfaces the challenge, and IAuthenticationApiClient (registered via WithAuthenticationApiClient()) lets the application complete OTP, OOB, or recovery-code grants and manage authenticators.
  • Configurable access-token expiration leeway #​247 (kailash-b) - new Auth0WebAppWithAccessTokenOptions.AccessTokenExpirationLeeway (TimeSpan, default 60s) controls how far ahead of expiry the SDK proactively refreshes the access token. Previously hard-coded to 60 seconds; the default preserves prior behavior. Applies to both primary and additional (MRRT) cached tokens, and only takes effect when UseRefreshTokens is enabled.
  • Configurable server-side session store #​246 (kailash-b) - new WithSessionStore method on Auth0WebAppAuthenticationBuilder stores the authentication session server-side (via ITicketStore) instead of in the cookie. It attaches the store to the SDK's own resolved cookie scheme, so it works even with a custom CookieAuthenticationScheme. Two overloads are provided: WithSessionStore<TStore>() (resolved from DI) and WithSessionStore(ITicketStore instance). Opt-in and additive; the default stateless cookie session is unchanged.

Fixed

  • Remove duplicate trailing slash from client_assertion audience #​236 (samjetski) - fixes a regression introduced in 1.7.0 (#​206) where the Private Key JWT client assertion aud claim was built as https://{tenant}// (double slash), causing Auth0's /oauth/token endpoint to reject the assertion with 401 invalid_client and leaving affected apps (any using ClientAssertionSecurityKey) in a callback loop.
  • Wire OnValidatePrincipal to the configured cookie scheme #​248 (kailash-b) - fixes a scheme mismatch where the access-token refresh hook was registered against the default "Cookies" scheme rather than the configured CookieAuthenticationScheme.

Security

  • Bump dependencies #​250 (kailash-b) - consolidates several Dependabot bumps (supersedes #​240, #​242, #​243, #​244): Microsoft.IdentityModel.Protocols.OpenIdConnect 8.18.0 → 8.19.1, Microsoft.AspNetCore.Mvc.Testing 10.0.8 → 10.0.9, Microsoft.AspNetCore.Mvc.ViewFeatures 2.3.10 → 2.3.11, System.Text.Encodings.Web 10.0.8 → 10.0.9.
  • Pin GitHub Actions to commit SHAs #​241 (jcchavezs) - pins all third-party actions in the workflow files to commit SHAs for improved supply-chain security and reproducibility.

Commits viewable in compare view.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---
updated-dependencies:
- dependency-name: Auth0.AspNetCore.Authentication
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Option to update claims during refresh

0 participants