Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency system.identitymodel.tokens.jwt to 6.36.0 #8

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jan 12, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
System.IdentityModel.Tokens.Jwt 6.17.0 -> 6.36.0 age adoption passing confidence

Release Notes

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)

v6.36.0

6.36.0

CVE package updates

CVE-2024-30105

New feature
  • A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #​2710 for details.
Fundamentals
  • Update signing info for NuGet packages. See PR #​2696 for details.

v6.35.0

Compare Source

Bug Fix
  • fix AadIssuerValidator's handling of trailing forward slashes. See issue [#​2415] for more details.
Feature
  • Adds an AppContext switch to control HMAC key size verification. See #​2421 for more details.

v6.34.0

Security fixes

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

v6.33.0: 6.33.0

Bug Fixes:

  • Clean up log messages. See #​2339 for details.
  • Decouple JsonElements from JsonDocument, which causes issues in multi-threaded environments. See #​2340 for details.

v6.32.3

Compare Source

=======

Bug fixes:

  • Fix logging messages. See #​2288 for details.

v6.32.2

Compare Source

=======

Bug fixes:

  • Underlying JsonDocument is never disposed, causing high latency in large scale services. See #​2258 for details.

v6.32.1

=======

Bug fixes:

  • Fix thread safety for JsonClaimSet Claims and JsonWebToken Audiences. See #​2185 for details.

v6.32.0

=======

New features:

  • Adding an AAD specific signing key issuer validator. See issue #​2134 for details.
  • Better support for WsFederation. See PR for details.

Bug fixes

  • Address perf regression introduced in 6.31.0. See PR for details.

v6.31.0

Compare Source

========
This release contains work from the following PRs and commits:

v6.30.1

Compare Source

=========
This release contains work from the following PRs:

  • Modified token validation to be async throughout the call graph #​2075
  • Enforce key sizes when creating HMAC #​2072
  • Fix AotCompatibilityTests #​2066
  • Use up-to-date "now", in case take long time to get Metadata #​2063

This release addresses #​1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.

v6.30.0

Compare Source

=========
Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException

Indicate that a SecurityTokenDescriptor can create JWS or JWE
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2055
Specify 'UTC' in log messages
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@ceb10b1
Fix order of log messages
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@05eeeb5

Fixed issues with matching Jwt.Kid with a X509SecurityKey.x5t
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2057
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2061

Marked Exception that is no longer used as obsolete
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2060

Added support for AesGcm on .NET 6.0 or higher
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@85fa86a

First round of triming analysis preperation for AOT
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2042

Added new API on TokenHandler.ValidateTokenAsync(SecurityToken ...) implemented only on JsonWebTokenHandler.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2056

v6.29.0

Compare Source

=========

  • Add BootstrapRefreshInterval (#​2052)
  • Added net462 target (#​2049)
  • Create the configuration cache in the BaseConfigurationManager class (#​2048)

v6.28.1

Compare Source

=========

  • Add BootstrapRefreshInterval (#​2052)
  • Added net462 target (#​2049)
  • Create the configuration cache in the BaseConfigurationManager class (#​2048)

v6.28.0

Compare Source

========

v6.27.0

========
Servicing release
Set maximum depth for Newtonsoft parsing.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/20244
Improve metadata failure message.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/20100
Validate size of symmetric signatures.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/20088
Added property TokenEndpoint to BaseConfiguration.https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/19988

v6.26.1

=========

Bug Fixes:

Releasing a Hotfix for Wilson 6.26.0 that reverts async/await changes made in #​1996 to address a performance reduction issue.

  • Changes are in #​2015
  • Root cause analysis and fix will be tracked in #​2017

v6.26.0

Compare Source

Servicing release
Introducing a new boolean TokenValidationParameter LogTokenId.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2002
Update System.Text.Encodings.Web
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1997
Update ValidateToken call stack fully async
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1996
JsonWebTokenHandler to return the JsonWebToken on validation failure
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1989
Update documentation of DefaultTokenLifetimeInMinutes
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1988

v6.25.1

Compare Source

Servicing release
.net was throwing when JWT tokens contained claims that used escaped characters.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1975
Fixed Typo in comments
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1971
Added inner exception to help diagnose when reading JWT tokens fails.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1968
Updated comments to improve understanding of RoleClaimTypeRetriever and NameClaimTypeRetriever
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1960

v6.25.0

Compare Source

Add Instance property bag that is cleared when Clone is called.
Added comments to JsonWebTokenHandler and JwtSecurityTokenHandler to emphasize that ReadToken does not validate the token.
#​1952
#​1954

v6.24.0

Compare Source

Single feature to control if exceptions are logged for Audience and Issuer failures.
Sometimes multiple policies are used, when a subsequent policy succeeds the upper layer can decide if previous exceptions should be logged.
#​1949

v6.23.1

Compare Source

A simple 'dot' release to fix an issue where JsonWebTokenHandler virtual CreateClaimsIdentity was not called.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/1940

v6.23.0

Compare Source

=========

New Features:

Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:

System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.

Bug Fixes:

v6.22.1

Compare Source

=========

New Features:

Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:

System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.

Bug Fixes:

v6.22.0

Compare Source

=========

New Features:

Unmasked non-PII properties in log messages -
In Microsoft.IdentityModel logs, previously only system metadata (DateTime, class name, httpmethod etc.) was displayed in clear text. For all other log arguments, the type was being logged to prevent Personally Identifiable Information (PII) from being displayed when ShowPII flag is turned OFF. To improve troubleshooting experience non-PII properties - Issuer, Audience, Key location, Key Id (kid) and some SAML constants will now be displayed in clear text. See issue #​1903 for more details.

Prefix Wilson header message to the first log message -
To always log the Wilson header (Version, DateTime, PII ON/OFF message), EventLogLevel.LogAlways was mapped to LogLevel.Critical in Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter class which caused confusion on why header was being displayed as a fatal log.
To address this, header is now prefixed to the first message logged by Wilson and separated with a newline. EventLogLevel.LogAlways has been remapped to LogLevel.Trace. See issue #​1907 for more details.

Bug Fixes:

Copy the IssuerSigningKeyResolverUsingConfiguration delegate in Clone() #​1909

v6.21.0

Compare Source

Dependency Updates:

Updated Newtonsoft dependency to 13.0.2 #​1902

Bug Fixes:

Add M.IM.TestExtensions to strong name by pass. #​1897

Add early alerting for governance #​1896

Adjust log level #​1893

Fundamentals

Update newtonsoft per governance report #​1890

v6.20.0

Compare Source

New Feature:

Microsoft.IdentityModel now provides a LoggerContext class to aid with debugging. See issue #​1876 for details.

Bug Fixes:

The cty claim is now optional. See issue #​1861 for details.

The signature of the token is no longer logged. See issue #​1880 for details.

ValidateHash method Alg is null when token is a JWE token. See issue #​1680 for details.

Fixed the issue the compaction actions are queued but potentially never got started. See issue #​1871 for details.

v6.19.0

Compare Source

Enhancements

  • Introducing IdentityLoggerAdapter for Identity Libraries integrating (#​1862)

v6.18.0

Compare Source

Enhancements

  • Simplify strings comparison with Ordinal option (#​1775)
  • Set 'cty' claim in JWE header (#​1588)
  • Added custom logger interface (#​1823)
  • log cert thumbprint (#​1820)
  • Introduced custom log level enum to remove dependency on System.Diagnostics.Tracing.EventLevel in IIdentityLogger (#​1843)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/dotnet-azure-ad-identitymodel-extensions-monorepo branch from 6433d9e to c72e4d9 Compare July 11, 2024 23:52
@renovate renovate bot changed the title chore(deps): update dependency system.identitymodel.tokens.jwt to v6.35.0 chore(deps): update dependency system.identitymodel.tokens.jwt to v6.35.1 Jul 11, 2024
@renovate renovate bot force-pushed the renovate/dotnet-azure-ad-identitymodel-extensions-monorepo branch from c72e4d9 to 9e32b98 Compare July 19, 2024 05:55
@renovate renovate bot changed the title chore(deps): update dependency system.identitymodel.tokens.jwt to v6.35.1 chore(deps): update dependency system.identitymodel.tokens.jwt to v6.36.0 Jul 19, 2024
@renovate renovate bot changed the title chore(deps): update dependency system.identitymodel.tokens.jwt to v6.36.0 chore(deps): update dependency system.identitymodel.tokens.jwt to 6.36.0 Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

0 participants