[Feature Request] Warn when different versions of the IdentityModel NuGet packages are used #2513
Comments
|
Hello, thanks for raising this issue. I think I got a solution working where the nuget packages would have explicit version requirements. = 7.4.0 instead of >= Would that meet your expectations here? Edit. This wouldn't help until asp.net core took a package with the new version restrictions. |
keegan-caruso
added
the
IdentityModel8x
|
duplicate of #1794 |
|
Do you have any ETA on this? We are severly impacted by this problem. |
|
Errors caused by combining newer Microsoft.IdentityModel.Tokens package versions combined with older Microsoft.IdentityModel.Protocols.OpenIdConnect package versions have led to several bug reports in the aspnetcore repo.
While warning is better than nothing, we shouldn't be making breaking changes to packages like Microsoft.IdentityModel.Tokens. If behavior needs to change, we should be adding new APIs rather than breaking old ones. I know every bug fix is technically a breaking change if you squint, but what's going on here is far beyond a simple bug fix. Microsoft.IdentityModel.Protocols.OpenIdConnect package versions that worked fine with older Microsoft.IdentityModel.Tokens versions now silently fail to read half the properties from I think rather than producing warning or adding explicit max version requirements to packages (while better than nothing), we should revert the changes in #2491 so older Microsoft.IdentityModel.Protocols.OpenIdConnect packages continue to work with newer Microsoft.IdentityModel.Tokens packages. If we need a new, incompatible behavior for |
|
@halter73 @etiennelepagel the way we are planning on handling this is to ONLY change internals on major releases. Our 8.x release will require all assemblies to be 8.x. |
I'm confused as to how to solve this. I have recently upgraded to .NET 8.0 and also upgraded the Microsoft.IdentityModel and System.IdentityModel packages. All of those packages are at 7.6.0 and I'm still experiencing this issue. Here are all of my packages. |
|
@ItWorksOnMyMachine the issue is we were not careful enough about moving around internals in minor releases. What other versions of IdentityModel are being pulled in? |
jennyf19
added
the
Dependency Mismatch
|
@ItWorksOnMyMachine if you list the transitive dependencies I expect you will see mismatched versions dotnet list package --include-transitive |
jennyf19
added
P2
Is your feature request related to a problem? Please describe.
Related to #2506
The wiki says:
However, that message is hidden away in the wiki where not everyone will see it. Even if that message were to be moved into the readme file, I still do not think it's enough because not having the same version of the libraries can result in code that silently fails, as demonstrated in #2506.
Having a build-time warning would prevent this mistake from occurring.
Describe the solution you'd like
Each NuGet package for the
Microsoft.IdentityModel.*andSystem.IdentityModel.*libraries would contain an MSBuild task that checks the version of all IdentityModel libraries that are referenced by the project. If there is more than one unique version in use, a warning will be logged.For example, given these package references:
A warning like this would be produced:
This warning explains what the problem is, and clearly identifies the versions of the transitive references, making it easy to understand what needs to be changed.
Describe alternatives you've considered
None.
Additional context
I have a working prototype for this and would be happy to contribute if this is a desired feature.
The text was updated successfully, but these errors were encountered: