Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps]: Update System.IdentityModel.Tokens.Jwt to v8 #15

Merged
merged 2 commits into from
Feb 5, 2025
Merged

[deps]: Update System.IdentityModel.Tokens.Jwt to v8 #15

merged 2 commits into from
Feb 5, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 5, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
System.IdentityModel.Tokens.Jwt 6.36.0 -> 8.3.1 age adoption passing confidence

Release Notes

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)

v8.3.1

Compare Source

8.3.1

Bug Fixes

  • Respect TVP.RequireAudience when set to false. See #​3055
  • For net4.6.2 select RSACng for PSS support. See #​3097
  • Fix package downgrade in consuming libraries. See#​3062
  • Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

  • Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
  • Upgrade to C# 13. See #​2998
  • Use new Base64Url API. See #​22817
  • Add warning quality check. See #​3067
  • Update dotnet actions. see #​3074
  • Fix warnings. See #​3081
  • Test updates in JsonWebToken. See #​3080.
Work related to redesign of IdentityModel's token validation logic #​2711

What's Changed

New Contributors

Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.3.0...8.3.1

v8.3.0

Compare Source

=====

New features

Work related to redesign of IdentityModel's token validation logic #​2711

Bug fixes

Fundamentals

New Contributors

v8.2.1

Compare Source

=====

New features
  • Update to use .NET 9 GA. See 2990.
Bug fixes
  • Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
  • Update cgmanifest to align with the JSON schema. See 2969.
Fundamentals
  • Streamline token creation by using SecurityTokenDescriptor. See 2993.
  • Prevent inlining to guarantee stack frames in test. See 2999.
Work related to redesign of IdentityModel's token validation logic #​2711
  • Simplify stack frame caching. See 2976.
  • Implement new model for reading SAML and SAML2 tokens. See 2980.
  • Implement new model for validating SAML signature. See 2950.
  • Add tests for IssuerExtensibility. See 2987.
  • Switch to new validation model for SAML and SAML2 issuer signing key. See 2965.
  • Switch to new validation model for SAML and SAML2 algorithm. See 2984.

v8.2.0

Compare Source

=====

Fundamentals
Work related to redesign of IdentityModel's token validation logic #​2711
  • Validates Audience for SAML2TokenHandler with New Model 2863
  • Improvements to AudienceValidation 2902
  • Added properties to ValidationResult 2923
  • Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
  • Implements Issuer validation in SamlSecurityTokenHandler 2948

v8.1.2

Compare Source

=====

Bug fixes
  • CaseSensitiveClaimsIdentity.Clone() now returns a CaseSensitiveClaimsIdentity as expected. See 2879
  • Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling. See 2888. No major version changed needed as these APIs were not usable per se.
Fundamentals
  • Enabled PublicApiAnalyzers to better understand and trace changes to the public API. See2782

v8.1.1

Compare Source

=====

Bug fixes
  • Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

v8.1.0

Compare Source

=====

Performance improvements
  • Improves performance during issuer validation by replacing string comparison with span comparison. See PR #​2826.
New features
  • Add optional check to prevent using keys that are shared across multiple clouds. See issue #​2832 for details.
Bug fixes
  • JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #​2695 for details.
Fundamentals
  • Fix flaky tests. See #​2793 for details.
  • Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #​2796 for details.
  • Onhboard to code coverage in ADO. See PR #​2798.
  • Use IsTargetFrameworkCompatible(*) so AOT is forward-compatible with .NET 9 and beyond. See PR #​2790 for details.
  • Fix a merge conflict impacting dev. See PR #​2819.
  • Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #​2820.
  • Remove perl dependency. See PR #​2830.
Work related to redesign of IdentityModel's token validation logic #​2711

v8.0.2

Compare Source

=====

Security fundamentals
  • Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #​2778 for details.
Bug fixes
  • IdentityModel now allows the JWT payload to be an empty string. See issue #​2656 for details.
  • Cache UseRfcDefinitionOfEpkAndKid switch. See PR #​2747 for details.
  • Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #​2750 for details.
  • Metadata is now updated on a background thread. See #​2780 for details.
  • JsonWebKeySet stores the original string it was created with. See PR #​2755 for details.
  • Restore AOT compatibility. See #​2711.
  • Fix OpenIdConnect parsing bug. See #​2772 for details.
  • Remove the lock on creating a SignatureProvider. See #​2788 for details.
Fundamentals
  • Test clean up #​2742.
  • Use only FxCop in .NET framework targets #​2693.
  • Add rule to add file headers automatically #​2748.
  • Code analysis updates #​2746.
  • Include README packages in NuGet #​2752.
  • Update projects inside WilsonUnix solution #​2768.
  • Code style enforced in build #​2603.
  • CodeQL update #​2767.
  • Update build pipeline to new one release build format #​2777.
  • Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #​2786.
Work relating to #​2711

v8.0.1

Compare Source

=====

Bug fixes
  • IdentityModel now resolves the public key to EPK. See issue #​1951 for details.
  • Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #​2682 for details.
  • For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #​2737 for details.
Performance improvement

v8.0.0

Compare Source

=====

CVE package updates

CVE-2024-30105

Breaking change:

Full list of breaking changes.

Overall improvements to the validation in IdentityModel:
  • See design proposal #​2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.
New Features:
  • Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #​2698 for details.
Bug fixes:
Fundamentals
  • Remove code that was used in target frameworks that got removed. See PR #​2673 for details.
  • Rename local variables for better readability. See PR #​2674 for details.
  • Refactor XML comments for improved clarity. See PR #​2676, #​2677, #​2678, #​2689 and #​2703 for details.
  • Fix flaky test. See issue #​2683 for details.
  • Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #​2661

v7.7.1

Compare Source

7.7.1

Bug Fix
  • Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #​2734 for details.

v7.7.0

7.7.0

CVE package updates

CVE-2024-30105

  • A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #​2715 for details.

v7.6.2

Compare Source

7.6.2

Bug Fix:
  • Revert reduced allocations in AadIssuerValidator by not using string.Replace where appropriate due to an index out-of-range error.

v7.6.1

Compare Source

=====

New Features:
  • Added an Audiences member to the SecurityTokenDescriptor to make it easier to define multiple audiences in JWT and SAML tokens. Addresses issue #​1479 with PR #​2575
  • Add missing metadata parameters to OpenIdConnectConfiguration. See issue #​2498 for details.
Bug Fixes:
  • Fix over-reporting of IDX14100. See issue #​2058 and PR #​2618 for details.
  • JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #​1598 for details.
Performance Improvements:
  • No longer for every string claim, calling DateTime.TryParse on each value, whether it is expected to be a DateTime or not. See issue #​2615 for details.

v7.6.0

Compare Source

=====

New Features:
  • Update JsonWebToken - extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #​2581, #​2583, and #​2495 for details.
Bug Fixes:
  • JWE header algorithm is now compliant to IANA document. See issue #​2089 for details.
Performance Improvements:
  • Reduce the number of internal array allocations that need to happen for each claim set, see PR #​2596.
Fundamentals:
  • Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #​2598.
  • Update perl scrip for OneBranch build. See PR #​2602.
  • Add langversion 12 to benchmark tests. See PR #​2601.
  • Removed unused build.cmd file. See PR #​2605.
  • Create CodeQL exclusions file. See PR #​2609.
  • Fix variable usage in AOT script. See PR #​2610.
  • Move Microsoft.IdentityModel.Tokens delegates to a new file. See PR #​2606

v7.5.2

Compare Source

=====

Bug Fixes:
Fundamentals:
  • App Context Switches in Identity Model 7x are now documented here.
Performance Improvements:
  • In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in VerifyRsa/VerifyECDsa. See PR #​2589 for more details.
  • Reduce allocations in ValidateSignature by using a collection expression instead of new List<SecurityKey> { key }, to optimize for the single element case. See PR #​2586 for more details.
  • Remove Task allocation in AadIssuerValidator. See PR #​2584 for more details.

v7.5.1

Compare Source

=====

Performance Improvements:
  • Use Base64.DecodeFromUtf8InPlace for base64 decode that saves 12% on token read time. Note that JsonWebToken no longer throws ArgumentOutOfRangeException and ArgumentException exceptions. See PR #​2504.
Fundamentals:
Bug Fix:
  • Contribution from @​martinb69 to fix correct parsing of UserInfoEndpoint. See issue #​2548 for details.

v7.5.0

=====

New features
  • Supports the 1.1 version of the Microsoft Entra ID Endpoint #​2503

v7.4.1

======

Bug Fixes:
  • SamlSecurityTokenHandler and Saml2SecurityTokenHandler now can fetch configuration when validating SAML issuer and signature. See PR #​2412
  • JsonWebToken.ReadToken now correctly checks Dot3 index in JWE. See PR #​2501
Engineering Excellence:
  • Remove reference to Microsoft.IdentityModel.Logging in Microsoft.IdentityModel.Protocols, which already depends on it via Microsoft.IdentityModel.Tokens. See PR #​2508
  • Adjust uppercase json serialization tests to fix an unreliable test method, add consistency to naming. See PR #​2512
  • Disable the 'restore' and 'build' steps of 'build and pack' in build.sh, improving speed. See PR #​2521

v7.4.0

======

New Features:
  • Introduced an injection point for external metadata management and adjusted the issuer Last Known Good (LKG) to maintain the state within the issuer validator. See PR #​2480.
  • Made an internal virtual method public, enabling users to provide signature providers. See PR #​2497.
Performance Improvements:
  • Added a new JsonWebToken constructor that accepts Memory for improved performance, along with enhancements to existing constructors. More information can be found in issue #​2487 and in PR #​2458.
Fundamentals:
  • Resolved the issue of duplicated log messages in the source code and made IDX10506 log message more specific. For more details, refer to PR #​2481.
  • Enhanced Json serialization by ensuring the complete object is always read. This improvement can be found in PR #​2491.
Engineering Excellence:
  • Streamlined the build and release process by replacing the dependency on updateAssemblyInfo.ps1 with the Version property. Check out the details in PR #​2494.
  • Excluded the packing of Benchmark and TestApp projects for a more efficient process. Details available in PR #​2496.

v7.3.1

Compare Source

======

Bug Fixes:
  • Replace propertyName with MetadataName constant. See issue #​2471 for details.
  • Fix 6x to 7x regression where mixed cases OIDC json was not correctly process. See #​2404 and #​2402 for details.
Performance Improvements:
  • Update the benchmark configuration. See issue #​2468.
Documentation:
  • Update comment for azp in JsonWebToken. See #​2475 for details.
  • Link to breaking change announcement. See [#​2478].
  • Fix typo in log message. See [#​2479].

v7.3.0

Compare Source

======

New Features:

Addition of the ClientCertificates property to the HttpRequestData class enables exposure of certificate collection involved in authenticating the client against the server and unlock support of new scenarios within the SDK. See PR #​2462 for details.

Bug Fixes:

Fixed bug where x5c property is empty in JwtHeader after reading a JWT containing x5c in its header, issue #​2447, see PR #​2460 for details.
Fixed bug where JwtPayload.Claim.Value was not culture invariant #​2409. Fixed by PRs #​2453 and #​2461.
Fixed bug where Guid values in JwtPayload caused an exception, issue #​2439. Fixed by PR #​2440.

Performance Improvements:

Remove linq from BaseConfigurationComparer, improvement [#​2464](https://redirect.github.com/AzureAD/azure-activedirectory-identitymodel-extensions-f

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 5, 2024 03:13
@renovate renovate bot requested a review from dani-garcia August 5, 2024 03:13
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 45cd9a4 to 04f8a26 Compare August 22, 2024 07:40
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 04f8a26 to 27313c7 Compare September 4, 2024 20:23
@codecov Codecov
Copy link

codecov bot commented Sep 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 37.06%. Comparing base (195e781) to head (7464b6e).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #15   +/-   ##
=======================================
  Coverage   37.06%   37.06%           
=======================================
  Files          37       37           
  Lines        1071     1071           
  Branches       91       91           
=======================================
  Hits          397      397           
  Misses        642      642           
  Partials       32       32

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch 2 times, most recently from da96baf to 4514d53 Compare September 6, 2024 14:08
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 4514d53 to 4726110 Compare September 16, 2024 21:11
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 4726110 to ddb3fca Compare September 24, 2024 16:40
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from ddb3fca to 7eb574c Compare October 5, 2024 04:15
@renovate renovate bot requested a review from a team as a code owner October 5, 2024 04:15
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 7eb574c to 76aef2a Compare October 8, 2024 22:01
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 76aef2a to a73789c Compare November 2, 2024 22:26
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from a73789c to 38793e2 Compare November 15, 2024 20:25
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 38793e2 to 95fbceb Compare December 4, 2024 19:46
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 95fbceb to 247626b Compare January 17, 2025 21:55
@renovate renovate bot force-pushed the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch from 247626b to 782f9b3 Compare January 29, 2025 12:53
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 5, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 5, 2025

Logo
Checkmarx One – Scan Summary & Details8557620d-f566-4c78-b38b-5604f65e5182

Great job, no security vulnerabilities found in this Pull Request

@justindbaur justindbaur merged commit 2f9f13e into main Feb 5, 2025
10 checks passed
@justindbaur justindbaur deleted the renovate/major-dotnet-azure-ad-identitymodel-extensions-monorepo branch February 5, 2025 04:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justindbaur justindbaur justindbaur approved these changes

@dani-garcia dani-garcia Awaiting requested review from dani-garcia dani-garcia is a code owner automatically assigned from bitwarden/team-platform-dev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@justindbaur