Upgrade IdWeb Sidecar to .NET 10 (LTS)#3841
Conversation
@microsoft-github-policy-service agree company="Microsoft" |
51685ab to
2b7636f
Compare
@microsoft-github-policy-service agree company="Microsoft" |
iNinja
left a comment
There was a problem hiding this comment.
Good, clean upgrade. The OpenAPI.NET v2 breaking changes are handled correctly, and the ForceRefresh schema bug is a nice fix. One missed file is a blocker.
Dockerfile (lines 6 and 11) — blocking
The plain Dockerfile (used for local builds and Visual Studio) wasn't updated in this PR. Lines 6 and 11 still reference .NET 9:
dockerfile FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
After this merges, docker build locally or building via VS will produce a .NET 9 image while the project targets net10.0. Both references need bumping to 10.0.
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Microsoft.Identity.Web Sidecar project and its E2E tests from .NET 9 to .NET 10 (LTS), aligning the Sidecar’s runtime, dependencies, and container images with the supported platform baseline.
Changes:
- Bumped Sidecar and Sidecar E2E tests to
net10.0, and updated ASP.NET Core dependency versions to10.0.0. - Updated Sidecar OpenAPI helpers to accommodate OpenAPI.NET v2 API/namespace changes (e.g.,
JsonSchemaType). - Updated Sidecar Docker base images to ASP.NET Core
10.0and suppressed new .NET 10 entry-point trim-analyzer restrictions via pragmas.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/E2E Tests/Sidecar.Tests/Sidecar.Tests.csproj | Moves Sidecar E2E tests to net10.0 and updates Microsoft.AspNetCore.Mvc.Testing to 10.0.0. |
| src/Microsoft.Identity.Web.Sidecar/Program.cs | Adds analyzer warning suppressions for .NET 10 entry-point attribute restrictions. |
| src/Microsoft.Identity.Web.Sidecar/OptionsOverrideSchemaTransformer.cs | Updates OpenAPI namespace import for OpenAPI.NET v2 compatibility. |
| src/Microsoft.Identity.Web.Sidecar/OpenApiDescriptions.cs | Updates OpenAPI schema typing to JsonSchemaType and adds parameter null guards. |
| src/Microsoft.Identity.Web.Sidecar/DockerFile.NanoServer | Updates NanoServer ASP.NET runtime base image from 9.0 to 10.0. |
| src/Microsoft.Identity.Web.Sidecar/Dockerfile.AzureLinux | Updates AzureLinux distroless ASP.NET runtime base image from 9.0 to 10.0. |
| src/Microsoft.Identity.Web.Sidecar/Directory.Build.props | Updates Sidecar TFM to net10.0 and bumps Sidecar ASP.NET dependency version to 10.0.0. |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
SidecarEndpointsE2ETests require Azure AD lab credentials that are not available in CI when running from fork PRs. The net9.0 test step already excludes these tests, but the net10.0 step was missing the same filter, causing CI failures on fork PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Pinned [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) at 4.11.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Identity.Web's releases](https://github.com/AzureAD/microsoft-identity-web/releases)._ ## 4.11.0 ## What's Changed * Bump vitest from 3.2.4 to 4.1.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3836 * Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @gladjohn with @Copilot in AzureAD/microsoft-identity-web#3844 * docs(design): devex proposal for mTLS PoP on Managed Identity and FIC by @gladjohn in AzureAD/microsoft-identity-web#3832 * Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive values by @iarekk in AzureAD/microsoft-identity-web#3850 * Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex #3832) by @gladjohn in AzureAD/microsoft-identity-web#3839 * docs(design): devex proposal for Bearer tokens with bound credentials by @gladjohn in AzureAD/microsoft-identity-web#3833 * Add bound-credential support for Bearer tokens (cert + mTLS) by @gladjohn in AzureAD/microsoft-identity-web#3835 * Upgrade IdWeb Sidecar to .NET 10 (LTS) by @soodt in AzureAD/microsoft-identity-web#3841 * MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support by @tlupes in AzureAD/microsoft-identity-web#3815 * fix: include isTokenBinding in CCA cache key to prevent bearer/PoP collision by @gladjohn in AzureAD/microsoft-identity-web#3867 * Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via ExtraHeaderParameters by @gladjohn in AzureAD/microsoft-identity-web#3864 * Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @gladjohn in AzureAD/microsoft-identity-web#3872 * Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by @soodt in AzureAD/microsoft-identity-web#3865 * Sidecar: gate agent identity parameters behind AllowOverrides by @iNinja in AzureAD/microsoft-identity-web#3871 * Bump System.Formats.Asn1 base version to 10.0.2 by @iarekk in AzureAD/microsoft-identity-web#3875 * Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @iarekk in AzureAD/microsoft-identity-web#3879 * Use IIdentityLogger for MSAL logging in TokenAcquisition and ManagedIdentityClientAssertion (#3820) by @neha-bhargava in AzureAD/microsoft-identity-web#3880 * Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by @neha-bhargava in AzureAD/microsoft-identity-web#3881 * Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult by @neha-bhargava in AzureAD/microsoft-identity-web#3856 * Flow outgoing request to header providers via AcquireTokenOptions by @neha-bhargava in AzureAD/microsoft-identity-web#3876 * Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity) by @iarekk in AzureAD/microsoft-identity-web#3873 * Delete .github/workflows/evergreen.yml by @bgavrilMS in AzureAD/microsoft-identity-web#3803 * Add comprehensive authority configuration and precedence documentation by @jmprieur with @Copilot in AzureAD/microsoft-identity-web#3617 * Bump js-yaml from 4.1.1 to 4.2.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3862 * Move authority docs into docs/authority-configuration/ subfolder by @iarekk in AzureAD/microsoft-identity-web#3885 * Revert "Throw on Authority vs Instance/TenantId conflict (#3873)" by @iarekk in AzureAD/microsoft-identity-web#3888 * Update Microsoft.Identity.Client to 4.85.1 by @neha-bhargava in AzureAD/microsoft-identity-web#3889 * Enable E2E test coverage on internal Azure DevOps pipelines by @gladjohn in AzureAD/microsoft-identity-web#3883 * Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3859 * Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns Bearer by @neha-bhargava in AzureAD/microsoft-identity-web#3892 ## New Contributors * @iarekk made their first contribution in AzureAD/microsoft-identity-web#3850 * @soodt made their first contribution in AzureAD/microsoft-identity-web#3841 **Full Changelog**: AzureAD/microsoft-identity-web@4.10.0...4.11.0 Commits viewable in [compare view](AzureAD/microsoft-identity-web@4.10.0...4.11.0). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Upgrade Sidecar from .NET 9 (EOL) to .NET 10 (LTS).
Description
.NET 9 reached end-of-life. This PR upgrades the Sidecar project to .NET 10 (LTS, supported until Nov 2028).
Changes
Version bump (3 files):
Directory.Build.props:net9.0→net10.0,SidecarAspDependencyVersion9.0.9→10.0.0Dockerfile.AzureLinux: base imageaspnet:9.0-azurelinux3.0-distroless→10.0DockerFile.NanoServer: base imageaspnet:9.0-nanoserver-ltsc2022→10.0Dockerfile: base imagesaspnet:9.0/sdk:9.0→10.0(local/VS builds)OpenAPI v2 breaking changes (2 files):
Microsoft.AspNetCore.OpenApi10.0 ships with OpenAPI.NET v2, which has namespace and type changes:OpenApiDescriptions.cs:using Microsoft.OpenApi.Models→using Microsoft.OpenApi;Schema.Typechanged fromstringtoJsonSchemaTypeenum; added null guards forop.ParametersOptionsOverrideSchemaTransformer.cs: namespace update onlyAddAcquireTokenOptionparameter order to matchAddSimple(name, type, desc) — fixes a pre-existing bug whereForceRefreshhad its description and type arguments silently swappedTrimmer attribute restriction (1 file):
Program.cs: .NET 10 disallows[RequiresUnreferencedCode]/[RequiresDynamicCode]on entry points (IL2123/IL3057). Added pragma suppression.Test project update (1 file)
Sidecar.Tests.csproj:net9.0→net10.0,Microsoft.AspNetCore.Mvc.Testing9.0.0 → 10.0.0CI workflow fix (1 file)
.github/workflows/dotnetcore.yml: AddedSidecarEndpointsE2ETestsexclusion to the net10.0 test step. These are E2E tests that require Azure AD lab credentials (client certificates inLocalMachine/Mystore) which are not available in GitHub Actions CI. The net9.0 test step already had this exclusion; the net10.0 step was missing it. The tests are also guarded by a#if !FROM_GITHUB_ACTIONpreprocessor directive, but the test filter is needed as an additional safeguard since the test assembly still gets discovered bydotnet test.Testing
dotnet publishsucceeds targetingnet10.0GET /healthz→ 200GET /Validatewith Bearer token → 200