chore(deps): update dependency system.identitymodel.tokens.jwt to 6.36.0 #8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/dotnet-azure-ad-identitymodel-extensions-monorepo
branch
from
6433d9e
to
c72e4d9
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/dotnet-azure-ad-identitymodel-extensions-monorepo
branch
from
c72e4d9
to
9e32b98
Compare
renovate
bot
changed the title
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.17.0->6.36.0Release Notes
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)
v6.36.06.36.0
CVE package updates
CVE-2024-30105
New feature
ClaimsIdentitywhere claim retrieval is case-sensitive. The currentClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken. The newCaseSensitiveClaimsIdentityclass provides consistent retrieval logic withSecurityToken. Opt in to the new behavior via an AppContext switch. See PR #2710 for details.Fundamentals
v6.35.0Compare Source
Bug Fix
AadIssuerValidator's handling of trailing forward slashes. See issue [#2415] for more details.Feature
v6.34.0Security fixes
See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.
v6.33.0: 6.33.0Bug Fixes:
v6.32.3Compare Source
=======
Bug fixes:
v6.32.2Compare Source
=======
Bug fixes:
v6.32.1=======
Bug fixes:
JsonClaimSetClaims andJsonWebTokenAudiences. See #2185 for details.v6.32.0=======
New features:
Bug fixes
v6.31.0Compare Source
========
This release contains work from the following PRs and commits:
v6.30.1Compare Source
=========
This release contains work from the following PRs:
This release addresses #1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.
v6.30.0Compare Source
=========
Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException
Indicate that a SecurityTokenDescriptor can create JWS or JWE
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2055
Specify 'UTC' in log messages
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@ceb10b1
Fix order of log messages
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@05eeeb5
Fixed issues with matching Jwt.Kid with a X509SecurityKey.x5t
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2057
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2061
Marked Exception that is no longer used as obsolete
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2060
Added support for AesGcm on .NET 6.0 or higher
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@85fa86a
First round of triming analysis preperation for AOT
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2042
Added new API on TokenHandler.ValidateTokenAsync(SecurityToken ...) implemented only on JsonWebTokenHandler.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2056
v6.29.0Compare Source
=========
v6.28.1Compare Source
=========
v6.28.0Compare Source
========
v6.27.0========
Servicing release
Set maximum depth for Newtonsoft parsing.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/20244
Improve metadata failure message.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/20100
Validate size of symmetric signatures.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/20088
Added property TokenEndpoint to BaseConfiguration.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/19988
v6.26.1=========
Bug Fixes:
Releasing a Hotfix for Wilson 6.26.0 that reverts async/await changes made in #1996 to address a performance reduction issue.
v6.26.0Compare Source
Servicing release
Introducing a new boolean TokenValidationParameter LogTokenId.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2002
Update System.Text.Encodings.Web
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1997
Update ValidateToken call stack fully async
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1996
JsonWebTokenHandler to return the JsonWebToken on validation failure
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1989
Update documentation of DefaultTokenLifetimeInMinutes
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1988
v6.25.1Compare Source
Servicing release
.net was throwing when JWT tokens contained claims that used escaped characters.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1975
Fixed Typo in comments
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1971
Added inner exception to help diagnose when reading JWT tokens fails.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1968
Updated comments to improve understanding of RoleClaimTypeRetriever and NameClaimTypeRetriever
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1960
v6.25.0Compare Source
Add Instance property bag that is cleared when Clone is called.
Added comments to JsonWebTokenHandler and JwtSecurityTokenHandler to emphasize that ReadToken does not validate the token.
#1952
#1954
v6.24.0Compare Source
Single feature to control if exceptions are logged for Audience and Issuer failures.
Sometimes multiple policies are used, when a subsequent policy succeeds the upper layer can decide if previous exceptions should be logged.
#1949
v6.23.1Compare Source
A simple 'dot' release to fix an issue where JsonWebTokenHandler virtual CreateClaimsIdentity was not called.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1940
v6.23.0Compare Source
=========
New Features:
Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:
System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.
Bug Fixes:
v6.22.1Compare Source
=========
New Features:
Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:
System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.
Bug Fixes:
v6.22.0Compare Source
=========
New Features:
Unmasked non-PII properties in log messages -
In Microsoft.IdentityModel logs, previously only system metadata (DateTime, class name, httpmethod etc.) was displayed in clear text. For all other log arguments, the type was being logged to prevent Personally Identifiable Information (PII) from being displayed when ShowPII flag is turned OFF. To improve troubleshooting experience non-PII properties - Issuer, Audience, Key location, Key Id (kid) and some SAML constants will now be displayed in clear text. See issue #1903 for more details.
Prefix Wilson header message to the first log message -
To always log the Wilson header (Version, DateTime, PII ON/OFF message), EventLogLevel.LogAlways was mapped to LogLevel.Critical in Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter class which caused confusion on why header was being displayed as a fatal log.
To address this, header is now prefixed to the first message logged by Wilson and separated with a newline. EventLogLevel.LogAlways has been remapped to LogLevel.Trace. See issue #1907 for more details.
Bug Fixes:
Copy the IssuerSigningKeyResolverUsingConfiguration delegate in Clone() #1909
v6.21.0Compare Source
Dependency Updates:
Updated Newtonsoft dependency to 13.0.2 #1902
Bug Fixes:
Add M.IM.TestExtensions to strong name by pass. #1897
Add early alerting for governance #1896
Adjust log level #1893
Fundamentals
Update newtonsoft per governance report #1890
v6.20.0Compare Source
New Feature:
Microsoft.IdentityModel now provides a LoggerContext class to aid with debugging. See issue #1876 for details.
Bug Fixes:
The
ctyclaim is now optional. See issue #1861 for details.The signature of the token is no longer logged. See issue #1880 for details.
ValidateHash method Alg is null when token is a JWE token. See issue #1680 for details.
Fixed the issue the compaction actions are queued but potentially never got started. See issue #1871 for details.
v6.19.0Compare Source
Enhancements
v6.18.0Compare Source
Enhancements
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.