Sourced from Microsoft.Identity.Web's releases.

2.15.1

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

New features

• TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480

Experimental API

(to get feedback, could change without bumping-up the major version)

• It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496

Bug Fixes

• Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
• In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
• Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394

2.13.4

• Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
• Update to MSAL 4.56.0, which now enables the cache synchronization by default
• Support for .NET 8 preview 7. See PR #2430

Bug fixes

• In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #2417
• Fix to accomodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #2420
• Improved the usability of IDownstreamApi by checking all HttpResponse for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #2426
• Improvement/Fix of OWIN scenarios, especially the session with B2C: #2388
• Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #2411
• Fix a bug that is now surfaced by the .NET 8 runtime. See issue #2448
• Added a lock while loading credentials. See issue #2439

Fundamentals

• performance improvements: #2414
• Replaced Selenim with Playwright for more reliable faster UI tests. See issue #2354
• Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #1900
• Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #244

2.13.3

• Update to Wilson 7.0.0-preview2 on .NET 8.

New features:

• Support langversion 11, which as fewer allocations compared to 10, see issue #2351 for details.
• In AspNET Core 3.1 and Net 5+, Microsoft.Identity.Web now use the DefaultTokenAcquisitionHost (the host for SDK apps) instead of the Asp.NET Core one, when the service collection was not initialized by ASP.NET Core.
  • This means the IWebHostEnvironment is not present in the collection.
  • If you want the ASP.NET Core host, you would need to use the WebApplication.CreateBuilder().Services instead of instantiating a simple service collection.
• In web APIs, GetAuthenticationResultForUserAsync tries to find the inbound token from user.Identity.BootstrapContext first (if not null), and then from the token acquisition host. This will help for non-asp.NET Core Azure functions for instance, see issue #2371 for details.

2.13.2

Bug fixes:

... (truncated)

Sourced from Microsoft.Identity.Web's changelog.

2.15.1

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

2.15.0

New features

• TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480

Experimental API

(to get feedback, could change without bumping-up the major version)

• It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496

Bug Fixes

• Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
• In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
• Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394

2.14.0

• Update to Abstractions 5.0.0
• Include new OpenIdConnect options from net 8. See PR #2462

Bug Fixes

• Chain the OnMessageReceived event. See PR #2468

2.13.4

• Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
• Update to MSAL 4.56.0, which now enables the cache synchronization by default
• Support for .NET 8 preview 7. See PR #2430

Bug fixes

• In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #2417
• Fix to accomodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #2420
• Improved the usability of IDownstreamApi by checking all HttpResponse for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #2426
• Improvement/Fix of OWIN scenarios, especially the session with B2C: #2388
• Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #2411
• Fix a bug that is now surfaced by the .NET 8 runtime. See issue #2448
• Added a lock while loading credentials. See issue #2439

Fundamentals

• performance improvements: #2414
• Replaced Selenim with Playwright for more reliable faster UI tests. See issue #2354
• Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #1900
• Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #244

... (truncated)

• 0a212c4 Changelog 2.15.1 (#2502)
• 9c72590 update wilson (#2501)
• 3f00194 Update changelog.md for 2.15.0 (#2500)
• 5f191c2 Fixes #2410, #2410 (#2499)
• 826ff82 Jmprieur/test cert rotation (#2496)
• 086bf8d Fix #2456 (#2489)
• 768d105 Fix build on .NET FW after #2480 (#2488)
• e528daa Addition of environment variables as config source (#2483)
• f6dc660 Bump Microsoft.Identity.Web.DownstreamApi from 2.13.4 to 2.14.0 (#2478)
• ecf345c Bump Microsoft.Identity.Web.UI from 2.13.4 to 2.14.0 (#2477)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)