Skip to content

Releases: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

8.3.0

04 Dec 20:58
1293a5d
Compare
Choose a tag to compare

New features

Work related to redesign of IdentityModel's token validation logic #2711

  • SAML and SAML2 new model validation: Token Replay. See #2994
  • Extensibility tests: Token Type - JWT (#3030), Issuer - SAML and SAML2 (#3026), Algorithm and Signature - JWT, SAML and SAML2 (#3034), Token Replay - JWT, SAML and SAML2 (#3032), Issuer signing key - JWT, SAML and SAML2 (#3029)
  • Avoid code duplication in extensibility testing. See #3041
  • Extensibility Testing: Refactor. See #3011
  • Remove duplicate code in extensibility tests. See #3044

Bug fixes

  • Fix bug with AadIssuerValidator. See #3042
  • Fixed SignedHttpRequest flaky test. See #3037

Fundamentals

  • Install all .NET versions in pipeline to fix run tests task. See #3018
  • Changelog for 8.2.1. See #3009
  • Remove unnecessary AoT test project. See in #3045
  • Fix powershell script for nuget update. See #3046
  • Update to next version. See #3010
  • Disable Coverage PR comments. See #3048
  • Updates GitHub Action to support long paths, See #3049
  • Stack parameters to improve reading of code. See #3031

New Contributors

Full Changelog: 8.2.1...8.3.0

8.2.1

15 Nov 19:36
6dc806c
Compare
Choose a tag to compare

8.2.1

New features

  • Update to use .NET 9 GA. See 2990.

Bug fixes

  • Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
  • Update cgmanifest to align with the JSON schema. See 2969.

Fundamentals

  • Streamline token creation in SecurityTokenDescriptor. See 2993.
  • Prevent inlining to guarantee stack frames in test. See 2999.

Work related to redesign of IdentityModel's token validation logic #2711

  • Simplify stack frame caching. See 2976.
  • Implement reading SAML and SAML2 tokens. See 2980.
  • Implement validating SAML signature. See 2950.
  • Add tests for IssuerExtensibility. See 2987.
  • Add validation for SAML and SAML2 issuer signing key. See 2965.
  • Add validation for SAML and SAML2 algorithm. See 2984.

What's Changed

  • Microsoft.Rest.ClientRuntime has been deprecated, which results in so… by @brentschmaltz in #2970
  • Update to next version after 8.2.0 release by @jennyf19 in #2975
  • Consolidating test statics by @trwalke in #2956
  • New token validation model: Simplify stack frame caching by @iNinja in #2976
  • Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets by @filipnavara in #2935
  • Update cgmanifest to align with the JSON schema by @jeffhandley in #2969
  • SAML and SAML2 new model validation: Read Token by @iNinja in #2980
  • SAML2 new model validation: Signature by @iNinja in #2961
  • JsonWebTokenHandler IssuerExtensibility by @brentschmaltz in #2987
  • SAML and SAML2 new model validation: Issuer Signing Key by @iNinja in #2965
  • Ignore AotCompatibilityTests on ADO by @jmprieur in #2992
  • SAML and SAML2 new model validation: Algorithm by @iNinja in #2984
  • Use SecurityTokenDescriptor when creating tokens by @msbw2 in #2991
  • Prevent inlining to guarantee stack frames in test by @westin-m in #3002
  • Update to .NET 9 GA. Update some test dependencies. by @pmaytak in #2990
  • Add Abstractions.Tests to strong name bypass file. by @pmaytak in #3004

New Contributors

Full Changelog: 8.2.0...8.2.1

8.2.0

02 Nov 21:00
5471249
Compare
Choose a tag to compare

8.2.0

Fundamentals

Work related to redesign of IdentityModel's token validation logic #2711

  • Validates Audience for SAML2TokenHandler with New Model 2863
  • Improvements to AudienceValidation 2902
  • Added properties to ValidationResult 2923
  • Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
  • Implements Issuer validation in SamlSecurityTokenHandler 2948

What's Changed

New Contributors

Full Changelog: 8.1.2...8.2.0

8.1.2

08 Oct 21:33
4005548
Compare
Choose a tag to compare

What's Changed

Bug fixes

  • CaseSensitiveClaimsIdentity.Clone() now returns a CaseSensitiveClaimsIdentity as expected, by @jennyf19 in #2879
  • Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling, by @brentschmaltz in #2888

Fundamentals

  • Enabled PublicApiAnalyzers to better understand and trace changes to the public API, by @keegan-caruso in #2782

Full Changelog: 8.1.1...8.1.2

8.1.1

05 Oct 01:58
6771a49
Compare
Choose a tag to compare

8.1.1

Bug fixes

  • Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

What's Changed

Full Changelog: 8.1.0...8.1.1

8.1.0

24 Sep 15:24
1f2883c
Compare
Choose a tag to compare

8.1.0

Performance improvements

  • Improves performance during issuer validation by replacing string comparison with span comparison. See PR #2826.

New features

  • Add optional check to prevent using keys that are shared across multiple clouds. See issue #2832 for details.

Bug fixes

  • JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #2695 for details.

Fundamentals

  • Fix flaky tests. See #2793 for details.
  • Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #2796 for details.
  • Onhboard to code coverage in ADO. See PR #2798.
  • Use IsTargetFrameworkCompatible(*) so AOT is forward-compatible with .NET 9 and beyond. See PR #2790 for details.
  • Fix a merge conflict impacting dev. See PR #2819.
  • Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #2820.
  • Remove perl dependency. See PR #2830.

Work related to redesign of IdentityModel's token validation logic #2711

What's Changed

New Contributors

Full Changelog: 8.0.2...8.1.0

8.0.2

22 Aug 15:58
1e23cef
Compare
Choose a tag to compare

8.0.2

Security fundamentals

  • Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #2778 for details.

Bug fixes

  • IdentityModel now allows the JWT payload to be an empty string. See issue #2656 for details.
  • Cache UseRfcDefinitionOfEpkAndKid switch. See PR #2747 for details.
  • Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #2750 for details.
  • Metadata is now updated on a background thread. See #2780 for details.
  • JsonWebKeySet stores the original string it was created with. See PR #2755 for details.
  • Restore AOT compatibility. See #2711.
  • Fix OpenIdConnect parsing bug. See #2772 for details.
  • Remove the lock on creating a SignatureProvider. See #2788 for details.

Fundamentals

  • Test clean up #2742.
  • Use only FxCop in .NET framework targets #2693.
  • Add rule to add file headers automatically #2748.
  • Code analysis updates #2746.
  • Include README packages in NuGet #2752.
  • Update projects inside WilsonUnix solution #2768.
  • Code style enforced in build #2603.
  • CodeQL update #2767.
  • Update build pipeline to new one release build format #2777.
  • Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #2786.

Work relating to #2711

What's Changed

New Contributors

Full Changelog: 8.0.1...8.0.2

8.0.1

23 Jul 00:15
e67b25b
Compare
Choose a tag to compare

8.0.1

Bug fixes

  • IdentityModel now resolves the public key for ECDH. See issue #1951 for details.
  • Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.
  • For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

  • AppContext.TryGetSwitch statically caches internally but takes out a lock.
    .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

7.7.1

19 Jul 23:48
aea9c71
Compare
Choose a tag to compare

7.7.1

Bug Fix

  • Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #2734 for details.

7.7.0

19 Jul 01:34
74d8a82
Compare
Choose a tag to compare

7.7.0

CVE package updates

CVE-2024-30105

  • A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #2715 for details.

Performance improvement

  • AppContext.TryGetSwitch statically caches internally but takes out a lock.
    .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.