Releases: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Releases · AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
8.3.0
New features
Work related to redesign of IdentityModel's token validation logic #2711
- SAML and SAML2 new model validation: Token Replay. See #2994
- Extensibility tests: Token Type - JWT (#3030), Issuer - SAML and SAML2 (#3026), Algorithm and Signature - JWT, SAML and SAML2 (#3034), Token Replay - JWT, SAML and SAML2 (#3032), Issuer signing key - JWT, SAML and SAML2 (#3029)
- Avoid code duplication in extensibility testing. See #3041
- Extensibility Testing: Refactor. See #3011
- Remove duplicate code in extensibility tests. See #3044
Bug fixes
Fundamentals
- Install all .NET versions in pipeline to fix run tests task. See #3018
- Changelog for 8.2.1. See #3009
- Remove unnecessary AoT test project. See in #3045
- Fix powershell script for nuget update. See #3046
- Update to next version. See #3010
- Disable Coverage PR comments. See #3048
- Updates GitHub Action to support long paths, See #3049
- Stack parameters to improve reading of code. See #3031
New Contributors
Full Changelog: 8.2.1...8.3.0
8.2.1
8.2.1
New features
- Update to use .NET 9 GA. See 2990.
Bug fixes
- Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
- Update cgmanifest to align with the JSON schema. See 2969.
Fundamentals
- Streamline token creation in
SecurityTokenDescriptor
. See 2993. - Prevent inlining to guarantee stack frames in test. See 2999.
Work related to redesign of IdentityModel's token validation logic #2711
- Simplify stack frame caching. See 2976.
- Implement reading SAML and SAML2 tokens. See 2980.
- Implement validating SAML signature. See 2950.
- Add tests for
IssuerExtensibility
. See 2987. - Add validation for SAML and SAML2 issuer signing key. See 2965.
- Add validation for SAML and SAML2 algorithm. See 2984.
What's Changed
- Microsoft.Rest.ClientRuntime has been deprecated, which results in so… by @brentschmaltz in #2970
- Update to next version after 8.2.0 release by @jennyf19 in #2975
- Consolidating test statics by @trwalke in #2956
- New token validation model: Simplify stack frame caching by @iNinja in #2976
- Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets by @filipnavara in #2935
- Update cgmanifest to align with the JSON schema by @jeffhandley in #2969
- SAML and SAML2 new model validation: Read Token by @iNinja in #2980
- SAML2 new model validation: Signature by @iNinja in #2961
- JsonWebTokenHandler IssuerExtensibility by @brentschmaltz in #2987
- SAML and SAML2 new model validation: Issuer Signing Key by @iNinja in #2965
- Ignore AotCompatibilityTests on ADO by @jmprieur in #2992
- SAML and SAML2 new model validation: Algorithm by @iNinja in #2984
- Use SecurityTokenDescriptor when creating tokens by @msbw2 in #2991
- Prevent inlining to guarantee stack frames in test by @westin-m in #3002
- Update to .NET 9 GA. Update some test dependencies. by @pmaytak in #2990
- Add Abstractions.Tests to strong name bypass file. by @pmaytak in #3004
New Contributors
- @jeffhandley made their first contribution in #2969
Full Changelog: 8.2.0...8.2.1
8.2.0
8.2.0
Fundamentals
- Update System.Text.Json to 8.0.5 CVE-2024-43485. See 2892.
- Using FixedTimeEquals in NETCore targets. See 2857.
- Updated .NET 9 to RC 2 2898.
- Adds ability to create token without kid 2968
- Enables code coverage in PRs 2946
- Various test improvements:
- #2953
- #2955
- #2951
- #2952
- #2947
Work related to redesign of IdentityModel's token validation logic #2711
- Validates Audience for SAML2TokenHandler with New Model 2863
- Improvements to AudienceValidation 2902
- Added properties to ValidationResult 2923
- Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
- Implements Issuer validation in SamlSecurityTokenHandler 2948
What's Changed
- update to next version by @jennyf19 in #2890
- Use FixedTimeEquals in NETCore targets by @westin-m in #2857
- Update System.Text.Json to 8.0.5 CVE-2024-43485 by @msbw2 in #2892
- Update .NET 9 to RC 2 by @msbw2 in #2898
- Validate Audience for SAML2TokenHandler with New Model by @FuPingFranco in #2863
- Regression tests: Issuer by @iNinja in #2868
- Mark Wilson APIs as Shipped by @westin-m in #2903
- Add Tests for Lifetime Validation Using New Validation Model For SAML2 by @FuPingFranco in #2906
- Suggested changes to AudienceValidation by @brentschmaltz in #2902
- Extensibility tests: Audience by @iNinja in #2861
- Added properties to ValidationResult without throwing by @iNinja in #2923
- Extensibility tests: Lifetime by @iNinja in #2867
- Regression tests: Issuer signing key by @iNinja in #2927
- Do not serialize CaseSensitiveClaimsIdentity.SecurityToken. by @pmaytak in #2896
- Fix typo by @westin-m in #2894
- Implement and Test Audience and Lifetime validations in SamlSecurityTokenHandler with New Validation Model by @FuPingFranco in #2925
- Fix Flaky Tests: NameAndRoleClaimDelegates and RoleClaims by @kellyyangsong in #2873
- Regression tests: Signature by @iNinja in #2930
- Validate Issuer Using New Validation Model in Saml2SecurityTokenHandler by @FuPingFranco in #2929
- Fix builds on macOS / Linux using the build.sh script by @filipnavara in #2937
- Regression tests: Algorithm by @iNinja in #2934
- Regression tests: Token Type by @iNinja in #2932
- Regression tests: Token Replay by @iNinja in #2931
- Fix DevEx and IDDP builds such that when building internally, use an internal Nuget feed instead of nuget.org by @kellyyangsong in #2936
- Restore PopKeyResolvingTests.GetPopKeysFromJkuAsync by @kellyyangsong in #2947
- Restore skipped test: ReferenceCountingTest_MultiThreaded by @kellyyangsong in #2952
- Restore EnsureAotCompatibility test by @kellyyangsong in #2951
- Restore CacheOverflowTestSequential - takes 1.5s by @kellyyangsong in #2955
- Restore CacheOverflowTestMultithreaded test by @kellyyangsong in #2953
- Regression tests: JWE Decryption by @iNinja in #2940
- Enable coverage report in PRs by @westin-m in #2946
- SAML new model validation: Issuer by @iNinja in #2948
- Fix flaky EnsureAotCompatibility() test by @iNinja in #2962
- Add ability to create token without kid by @jennyf19 in #2968
- Adds changelog for 8.2.0 by @sruke in #2971
- Add Ask Mode Change Template by @kellyyangsong in #2941
- SAML new model validation: Signature by @iNinja in #2958
New Contributors
- @filipnavara made their first contribution in #2937
Full Changelog: 8.1.2...8.2.0
8.1.2
What's Changed
Bug fixes
- CaseSensitiveClaimsIdentity.Clone() now returns a
CaseSensitiveClaimsIdentity
as expected, by @jennyf19 in #2879 - Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling, by @brentschmaltz in #2888
Fundamentals
- Enabled PublicApiAnalyzers to better understand and trace changes to the public API, by @keegan-caruso in #2782
Full Changelog: 8.1.1...8.1.2
8.1.1
8.1.1
Bug fixes
- Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.
What's Changed
- Rename validation delegates by @iNinja in #2847
- Remove TransformBeforeSignatureValidationDelegate from ValidationParameters by @iNinja in #2848
- Add disable discovery enumeration = true to all theory tests by @kellyyangsong in #2849
- Make CaseSensitiveClaimIdentity serializable by @kellyyangsong in #2850
- Remove Obsolete BinaryFormatter by @kellyyangsong in #2851
- Refactor ValidateConditions in Saml2SecurityTokenHandler by @iNinja in #2855
- Set custom BenchmarkDotNetconfig as default by @pmaytak in #2852
- Regression tests: Audience by @iNinja in #2838
- Fix ValidateJsonWebTokenClaimMapping Flaky Test 🐞 by @kellyyangsong in #2859
- update current version by @brentschmaltz in #2862
- Regression tests: Lifetime by @iNinja in #2839
- Rename ResolveTokenDecryptionKeyDelegate to DecryptionKeyResolverDelegate by @iNinja in #2869
- Set internal _syncAfter using only AutomaticRefreshInterval. by @brentschmaltz in #2865
- 8.1.1 Changelog by @kellyyangsong in #2864
- Adjust for RefreshInterval not influencing AutomaticRefreshInterval. by @brentschmaltz in #2870
Full Changelog: 8.1.0...8.1.1
8.1.0
8.1.0
Performance improvements
- Improves performance during issuer validation by replacing string comparison with span comparison. See PR #2826.
New features
- Add optional check to prevent using keys that are shared across multiple clouds. See issue #2832 for details.
Bug fixes
- JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #2695 for details.
Fundamentals
- Fix flaky tests. See #2793 for details.
- Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #2796 for details.
- Onhboard to code coverage in ADO. See PR #2798.
- Use
IsTargetFrameworkCompatible(*)
so AOT is forward-compatible with .NET 9 and beyond. See PR #2790 for details. - Fix a merge conflict impacting dev. See PR #2819.
- Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #2820. - Remove perl dependency. See PR #2830.
Work related to redesign of IdentityModel's token validation logic #2711
What's Changed
- changelog 8.0.2 by @jennyf19 in #2792
- Update version.props to 8.0.2 by @jennyf19 in #2791
- Fix Async Issue in Extensibility Tests by @FuPingFranco in #2795
- Update xUnit version and fix test warnings by @pmaytak in #2796
- ValidateTokenAsync - New Path: Refactor result types by @iNinja in #2794
- Onboard to code coverage in ADO by @keegan-caruso in #2798
- Exception refinement: Adding additional information by @iNinja in #2800
- Add initial regression tests for the new validation path by @iNinja in #2810
- Use IsTargetFrameworkCompatible() by @martincostello in #2790
- Regression tests: Added inner exception detail and invalid signature failure due to invalid algorithm used by @iNinja in #2811
- Return unwrapped keys if able by @keegan-caruso in #2812
- New token validation path: Renamed result types by @iNinja in #2816
- Fix merge conflict by @msbw2 in #2819
- Removed attribute that causes issues with internal builds. by @brentschmaltz in #2820
- Add missing exception type to ValidationError -> GetException() by @iNinja in #2822
- Regression testing: Add JWE use cases by @iNinja in #2815
- Added ArgumentNullException type with ValidationError by @iNinja in #2818
- Enable TimeProvider on New Model by @FuPingFranco in #2813
- Split tests into parameter testing and value testing by @brentschmaltz in #2827
- Remove perl dependency by @keegan-caruso in #2830
- Uses spans for issuer comparison and fixes prior index out of range error by @sruke in #2826
- Add cloud instance name validation by @alexholub113 in #2804
- Update to 9.0.100-rc.1 by @kellyyangsong in #2821
- CertificateHelper.LoadX509Certificate() takes string instead of byte[] to reduce calls to Convert.FromBase64String by @kellyyangsong in #2834
- Use correct runtime in test-aot.ps1 by @msbw2 in #2837
- move to public nuget and address CVEs by @jennyf19 in #2836
- 8.0.3 changelog by @jennyf19 in #2831
- fix policheck issue by @jennyf19 in #2843
- fix net9 xunit runner by @jennyf19 in #2844
New Contributors
- @alexholub113 made their first contribution in #2804
Full Changelog: 8.0.2...8.1.0
8.0.2
8.0.2
Security fundamentals
- Add
BannedApiAnalyzers
to prevent use ofClaimsIdentity
constructors. See PR #2778 for details.
Bug fixes
- IdentityModel now allows the JWT payload to be an empty string. See issue #2656 for details.
- Cache
UseRfcDefinitionOfEpkAndKid
switch. See PR #2747 for details. - Method was named
DoNotFailOnMissingTid
in 7x andDontFailOnMissingTid
in 8x, adding the method for back compat. See issue #2750 for details. - Metadata is now updated on a background thread. See #2780 for details.
JsonWebKeySet
stores the original string it was created with. See PR #2755 for details.- Restore AOT compatibility. See #2711.
- Fix OpenIdConnect parsing bug. See #2772 for details.
- Remove the lock on creating a
SignatureProvider
. See #2788 for details.
Fundamentals
- Test clean up #2742.
- Use only FxCop in .NET framework targets #2693.
- Add rule to add file headers automatically #2748.
- Code analysis updates #2746.
- Include README packages in NuGet #2752.
- Update projects inside WilsonUnix solution #2768.
- Code style enforced in build #2603.
- CodeQL update #2767.
- Update build pipeline to new one release build format #2777.
- Update GitHub actions to
9.0.100-preview.7.24407.12
and add<NoWarn>$(NoWarn);SYSLIB0057</NoWarn>
due to breaking changes in preview7. #2786.
Work relating to #2711
What's Changed
- Remove old 6x tests used that are not needed anymore by @brentschmaltz in #2742
- Only use fxcop in netfw by @keegan-caruso in #2693
- Allow Jwt payload to be the empty string. by @brentschmaltz in #2745
- Add rule to add file headers automatically. by @pmaytak in #2748
- Remove Delegate Checks in Multiple Validators and Prevents Null Setting of Delegates by @FuPingFranco in #2725
- Fix CodeQL by @pmaytak in #2746
- Cache UseRfcDefinitionOfEpkAndKid switch. by @pmaytak in #2747
- Decrypt token: Remove exceptions + use new ValidationParameters by @iNinja in #2729
- Include README packages in NuGet by @localden in #2752
- Remove internals for new work. by @brentschmaltz in #2753
- Add property named differently in 7x. by @brentschmaltz in #2756
- Remove SlimLock when updating metadata. by @brentschmaltz in #2751
- Revert "Remove SlimLock when updating metadata. (#2751)" by @keegan-caruso in #2762
- Remove Delegate Checks Audience Validator and Prevents Null Setting of Delegate by @FuPingFranco in #2758
- Re-factor Issuer Validator to Follow New Validation Model by @FuPingFranco in #2759
- Update projects inside WilsonUnix solution by @iNinja in #2768
- JsonWebKeySet stores the String it was created with by @westin-m in #2755
- Signature Validation: Remove exceptions by @iNinja in #2757
- Validate IssuerSigningKey: Refactor to use ValidationParameters over TVP by @iNinja in #2764
- Enable EnforceCodeStyleInBuild and fix findings by @keegan-caruso in #2763
- Restore AOT compatibility for IdentityModel by @iNinja in #2773
- try to fix codeQL by @jennyf19 in #2767
- Fix Open Id connect parsing bug. by @keegan-caruso in #2776
- ValidateTokenAsync: New code path by @iNinja in #2771
- Add lock when configuration is null by @brentschmaltz in #2780
- Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors by @pmaytak in #2778
- Adding benchmark for new ValidateTokenAsync model vs old by @FuPingFranco in #2779
- updates for one build by @jennyf19 in #2777
- update to 9.0.100-preview.7.24407.12 by @jennyf19 in #2786
- Remove lock when creating a SignatureProvider by @brentschmaltz in #2788
New Contributors
Full Changelog: 8.0.1...8.0.2
8.0.1
8.0.1
Bug fixes
- IdentityModel now resolves the public key for ECDH. See issue #1951 for details.
- Fix a race condition where
SignatureProvider
was disposed but still able to leverage the cache andSignatureProvider
now disposes when compacting. See PR #2682 for details. - For JWE,
JsonWebTokenHandler.ValidateJWEAsync
now considers the decrypt keys in the configuration. See issue #2737 for details.
Performance improvement
AppContext.TryGetSwitch
statically caches internally but takes out a lock.
.NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.
7.7.1
7.7.0
7.7.0
CVE package updates
- A derived
ClaimsIdentity
where claim retrieval is case-sensitive. The currentClaimsIdentity
, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken
. The newCaseSensitiveClaimsIdentity
class provides consistent retrieval logic withSecurityToken
. Opt in to the new behavior via an AppContext switch. See PR #2715 for details.
Performance improvement
AppContext.TryGetSwitch
statically caches internally but takes out a lock.
.NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.