Bump WilsonVersion from 7.1.2 to 8.0.0 #122

dependabot · 2024-07-22T19:29:45Z

Bumps WilsonVersion from 7.1.2 to 8.0.0.
Updates System.IdentityModel.Tokens.Jwt from 7.1.2 to 8.0.0

Release notes

Sourced from System.IdentityModel.Tokens.Jwt's releases.

8.0.0

CVE package updates

CVE-2024-30105

See PR #2707 for details.

Breaking change:

Full list of breaking changes.

A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.

Make CollectionUtilities.IsNullOrEmpty internal. See issues #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.

Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.

The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0

The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.

When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

Remove code that was used in target frameworks that got removed. See PR #2673 for details.

Rename local variables for better readability. See PR #2674 for details.

Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.

Fix flaky test. See issue #2683 for details.

Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.

AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

7.7.1

Bug Fix

Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #2734 for details.

7.7.0

CVE package updates

CVE-2024-30105

... (truncated)

Changelog

Sourced from System.IdentityModel.Tokens.Jwt's changelog.

8.0.0

CVE package updates

CVE-2024-30105

See PR #2707 for details.

Breaking change:

Full list of breaking changes.

A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.

Make CollectionUtilities.IsNullOrEmpty internal. See issues #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.

Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.

The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0

The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.

When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

Remove code that was used in target frameworks that got removed. See PR #2673 for details.

Rename local variables for better readability. See PR #2674 for details.

Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.

Fix flaky test. See issue #2683 for details.

Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.

AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

7.6.1

New Features:

Added an Audiences member to the SecurityTokenDescriptor to make it easier to define multiple audiences in JWT and SAML tokens. Addresses issue #1479 with PR #2575

Add missing metadata parameters to OpenIdConnectConfiguration. See issue #2498 for details.

Bug Fixes:

Fix over-reporting of IDX14100. See issue #2058 and PR #2618 for details.

JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #1598 for details.

... (truncated)

Commits

2e7c701 Update Saml2SecurityTokenHandler.cs (#2718)
20f5266 Call TVP.CreateClaimsIdentity to support users that have overloaded. (#2716)
ef6018d add PR #2661 to the changelog for 8.0.0 (#2717)
f7fc22d make GetConfigurationAsync virtual (#2661)
315b80b 8.0.0 changelog (#2712)
b16660f update for CVE with System.Text.Json (#2707)
afb9c59 Add CaseSensitiveClaimsIdentity type. (#2700)
863ba0f Establish base for ValidationParameters refactor (#2709)
323dda3 Additional Write API take a Stream (#2698)
1db51db Refactor XML comments for clarity (#2703)
Additional commits viewable in compare view

Updates Microsoft.IdentityModel.JsonWebTokens from 7.1.2 to 8.0.0

Release notes

Sourced from Microsoft.IdentityModel.JsonWebTokens's releases.

8.0.0

CVE package updates

CVE-2024-30105

See PR #2707 for details.

Breaking change:

Full list of breaking changes.

A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.

Make CollectionUtilities.IsNullOrEmpty internal. See issues #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.

Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.

The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0

The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.

When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

Remove code that was used in target frameworks that got removed. See PR #2673 for details.

Rename local variables for better readability. See PR #2674 for details.

Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.

Fix flaky test. See issue #2683 for details.

Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.

AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

7.7.1

Bug Fix

Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #2734 for details.

7.7.0

CVE package updates

CVE-2024-30105

... (truncated)

Changelog

Sourced from Microsoft.IdentityModel.JsonWebTokens's changelog.

8.0.0

CVE package updates

CVE-2024-30105

See PR #2707 for details.

Breaking change:

Full list of breaking changes.

A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.

Make CollectionUtilities.IsNullOrEmpty internal. See issues #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.

Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.

The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0

The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0

Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.

When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

Remove code that was used in target frameworks that got removed. See PR #2673 for details.

Rename local variables for better readability. See PR #2674 for details.

Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.

Fix flaky test. See issue #2683 for details.

Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.

AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

7.6.1

New Features:

Added an Audiences member to the SecurityTokenDescriptor to make it easier to define multiple audiences in JWT and SAML tokens. Addresses issue #1479 with PR #2575

Add missing metadata parameters to OpenIdConnectConfiguration. See issue #2498 for details.

Bug Fixes:

Fix over-reporting of IDX14100. See issue #2058 and PR #2618 for details.

JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #1598 for details.

... (truncated)

Commits

2e7c701 Update Saml2SecurityTokenHandler.cs (#2718)
20f5266 Call TVP.CreateClaimsIdentity to support users that have overloaded. (#2716)
ef6018d add PR #2661 to the changelog for 8.0.0 (#2717)
f7fc22d make GetConfigurationAsync virtual (#2661)
315b80b 8.0.0 changelog (#2712)
b16660f update for CVE with System.Text.Json (#2707)
afb9c59 Add CaseSensitiveClaimsIdentity type. (#2700)
863ba0f Establish base for ValidationParameters refactor (#2709)
323dda3 Additional Write API take a Stream (#2698)
1db51db Refactor XML comments for clarity (#2703)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps `WilsonVersion` from 7.1.2 to 8.0.0. Updates `System.IdentityModel.Tokens.Jwt` from 7.1.2 to 8.0.0 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@7.1.2...8.0.0) Updates `Microsoft.IdentityModel.JsonWebTokens` from 7.1.2 to 8.0.0 - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@7.1.2...8.0.0) --- updated-dependencies: - dependency-name: System.IdentityModel.Tokens.Jwt dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.IdentityModel.JsonWebTokens dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot · 2024-07-29T20:00:10Z

Superseded by #124.

dependabot bot added the dependencies Pull requests that update a dependency file label Jul 22, 2024

dependabot bot mentioned this pull request Jul 22, 2024

Bump Microsoft.IdentityModel.JsonWebTokens from 7.1.2 to 7.6.3 #120

Closed

dependabot bot closed this Jul 29, 2024

dependabot bot deleted the dependabot/nuget/WilsonVersion-8.0.0 branch July 29, 2024 20:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump WilsonVersion from 7.1.2 to 8.0.0 #122

Bump WilsonVersion from 7.1.2 to 8.0.0 #122

dependabot bot commented on behalf of github Jul 22, 2024

dependabot bot commented on behalf of github Jul 29, 2024

Bump WilsonVersion from 7.1.2 to 8.0.0 #122

Bump WilsonVersion from 7.1.2 to 8.0.0 #122

Conversation

dependabot bot commented on behalf of github Jul 22, 2024

8.0.0

CVE package updates

Breaking change:

Overall improvements to the validation in IdentityModel:

New Features:

Bug fixes:

Fundamentals

8.0.0-preview1

Breaking changes:

7.7.1

Bug Fix

7.7.0

CVE package updates

8.0.0

CVE package updates

Breaking change:

Overall improvements to the validation in IdentityModel:

New Features:

Bug fixes:

Fundamentals

8.0.0-preview1

Breaking changes:

7.6.1

New Features:

Bug Fixes:

8.0.0

CVE package updates

Breaking change:

Overall improvements to the validation in IdentityModel:

New Features:

Bug fixes:

Fundamentals

8.0.0-preview1

Breaking changes:

7.7.1

Bug Fix

7.7.0

CVE package updates

8.0.0

CVE package updates

Breaking change:

Overall improvements to the validation in IdentityModel:

New Features:

Bug fixes:

Fundamentals

8.0.0-preview1

Breaking changes:

7.6.1

New Features:

Bug Fixes:

dependabot bot commented on behalf of github Jul 29, 2024