Releases: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Releases · AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
7.7.0
7.7.0
CVE package updates
- A derived
ClaimsIdentity
where claim retrieval is case-sensitive. The currentClaimsIdentity
, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken
. The newCaseSensitiveClaimsIdentity
class provides consistent retrieval logic withSecurityToken
. Opt in to the new behavior via an AppContext switch. See PR #2715 for details.
Performance improvement
AppContext.TryGetSwitch
statically caches internally but takes out a lock.
.NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.
6.36.0
6.36.0
CVE package updates
New feature
- A derived
ClaimsIdentity
where claim retrieval is case-sensitive. The currentClaimsIdentity
, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken
. The newCaseSensitiveClaimsIdentity
class provides consistent retrieval logic withSecurityToken
. Opt in to the new behavior via an AppContext switch. See PR #2710 for details.
Fundamentals
- Update signing info for NuGet packages. See PR #2696 for details.
8.0.0
8.0.0
CVE package updates
- See PR #2707 for details.
Breaking change:
Full list of breaking changes.
- A derived
ClaimsIdentity
where claim retrieval is case-sensitive. The currentClaimsIdentity
, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlyingSecurityToken
. The newCaseSensitiveClaimsIdentity
class provides consistent retrieval logic withSecurityToken
. Fallback to previous behavior via an AppContext switch. See PR #2700 for details. - Make
CollectionUtilities.IsNullOrEmpty
internal. If your code used this method, you now have to provide your own implementation. See issues #2651 and #1722 for details.
Overall improvements to the validation in IdentityModel:
- See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.
New Features:
- Allow users to provide a
Stream
toWrite
inOIDCConfigurationSerializer
. See PR #2698 for details.
Bug fixes:
- Remove dependency on
AadIssuerValidator.GetTenantIdFromToken
inValidateIssuerSigningKey
, to only consider thetid
. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details. - Continuation of #2637 and #2646. Add the metadata
authorization_details_types_supported
from RFC 9396 - OAuth 2.0 Rich Authorization Requests toOpenIdConnectConfiguration
. - The class
OpenIdConnectPrompt
now has thecreate
prompt from Initiating User Registration via OpenID Connect 1.0
- The following grant types are now included in
OpenIdConnectGrantTypes
:urn:ietf:params:oauth:grant-type:saml2-bearer
from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants,urn:ietf:params:oauth:grant-type:jwt-bearer
from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants,urn:ietf:params:oauth:grant-type:device_code
from RFC 8628 - OAuth 2.0 Device Authorization Grant,urn:ietf:params:oauth:grant-type:token-exchange
from RFC 8693 - OAuth 2.0 Token Exchange,urn:openid:params:grant-type:ciba
from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 - Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.
- When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a
NotImplementedException
. Now a message is returned that the user can act on to fix the issue. See issue #1970.
Fundamentals
- Remove code that was used in target frameworks that got removed. See PR #2673 for details.
- Rename local variables for better readability. See PR #2674 for details.
- Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.
- Fix flaky test. See issue #2683 for details.
- Made
ConfigurationManager.GetConfigurationAsync
a virtual method. See PR #2661
8.0.0-preview1
8.0.0-preview1
Breaking changes:
- IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.
- Two IdentityModel extension dlls
Microsoft.IdentityModel.KeyVaultExtensions
andMicrosoft.IdentityModel.ManagedKeyVaultSecurityKey
were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details. AppContext.SetSwitch
which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.
7.6.2
7.6.1
7.6.1
New Features:
- Add missing metadata parameters to OpenIdConnectConfiguration. See issue #2498 for details.
Bug Fixes:
- Fix over-reporting of
IDX14100
. See issue #2058 and PR #2618 for details. JwtRegisteredClaimNames
now contains previously missing Standard OpenIdConnect claims. See issue #1598 for details.
Performance Improvements:
7.6.0
7.6.0
New Features:
- Update
JsonWebToken
- extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #2581, #2583, and #2495 for details.
Bug Fixes:
- JWE header algorithm is now compliant to IANA document. See issue #2089 for details.
Performance Improvements:
- Reduce the number of internal array allocations that need to happen for each claim set, see PR #2596.
Fundamentals:
- Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #2598.
- Update perl scrip for OneBranch build. See PR #2602.
- Add langversion 12 to benchmark tests. See PR #2601.
- Removed unused build.cmd file. See PR #2605.
- Create CodeQL exclusions file. See PR #2609.
- Fix variable usage in AOT script. See PR #2610.
- Move
Microsoft.IdentityModel.Tokens
delegates to a new file. See PR #2606
7.5.2
7.5.2
Bug Fixes:
- Validate authentication tag length so a JWE with appended characters will not be considered a valid token. See issues #2201, #1641, PR #2569, and IDX10625 Wiki for details. By @kellyyangsong
Fundamentals:
- App Context Switches in Identity Model 7x are now documented here. By @kellyyangsong
Performance Improvements:
- In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in
VerifyRsa
/VerifyECDsa
. See PR #2589 for more details. By @eerhardt - Reduce allocations in
ValidateSignature
by using a collection expression instead ofnew List<SecurityKey> { key }
, to optimize for the single element case. See PR #2586 for more details. By @eerhardt - Remove Task allocation in
AadIssuerValidator
. See PR #2584 for more details. By @eerhardt
7.5.1
Performance Improvements:
- Use Base64.DecodeFromUtf8InPlace for base64 decode that saves 12% on token read time. Note that JsonWebToken no longer throws ArgumentOutOfRangeException and ArgumentException exceptions. See PR #2504. By @keegan-caruso.
Fundamentals:
- Moved token lifetime validation logic to an internal static class. See PR #2547. By @kellyyangsong.
Bug Fix:
- Contribution from @martinb69 to fix correct parsing of
UserInfoEndpoint
. See issue #2548 for details.
7.5.0
New Features:
Supports the 1.1 version of the Microsoft Entra ID Endpoint #2503
What's Changed
Full Changelog: v7.4.1...7.5.0