Releases: AzureAD/microsoft-identity-web
Releases · AzureAD/microsoft-identity-web
2.17.1
2.17.1
- Updated to Microsoft.IdentityModel.* 7.4.0
New features
- DownstreamApi now automatically processes claims challenge from web APIs which are CAE enabled, provided you set "ClientCapablities" : ["cp1"] in the configuation. See issue #2550.
Bug fixes
- Fixes the use of
ServiceDescriptor
for containers which have keyed services present. This can be an issue on .NET 8.0. See issue #2676 for details.
Engineering excellence
- Calls to
ConfidentialClientApplicationBuilderExtension.WithClientCredentials
are fully async. See issue #2566 for details.
2.17.0
2.17.0
- Updated to Microsoft.IdentityModel.* 7.3.1 and MSAL.NET 4.59.0
New features
- Added support for Microsoft.NET.Sdk.Worker. See Worker calling APIs
- Added support for Managed identity when calling a downstream API on behalf of the app. See Calling APIs with Managed Identity and PR 2650. For details see PR #2645
Bug fixes
- In OWIN applications, GetTokenForUserAsync now respects the ClaimsPrincipal. See issue #2629 for details.
- After setting
AddTokenAcquisition(useSingleton:true)
to use token acquisition as a singleton, if you use.AddMicrosoftGraph
and/or.AddDownstreamApi
after this call,
the GraphServiceClient and IDownstreamApis are now registered as a singleton service. For details see PR #2645 - Added check Against Injection Attacks. For details see PR 2619
Engineering excellence
- Added a benchmark running on PR merges, available from https://azuread.github.io/microsoft-identity-web/benchmarks on GitHub pages
2.16.1
2.16.0
2.15.5
2.15.5
- Update to .NET 8 GA
- Update to Microsoft.Graph 5.34.0
Bug Fixes
- Fixes an issue where users were not able to override ICredentialsLoader. See #2564 for details.
- The latest patch version is no longer used in dependencies, as it made builds non-deterministic. See #2569 for details.
- Removed dependencies that were no longer needed. See #2577 for details.
- Fixes an issue where the build did not look up project names as package dependencies. See #2579 for more details.
Fundamentals
2.15.3
2.15.2
2.15.1
2.15.1
- Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2
New features
- TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480
Experimental API
(to get feedback, could change without bumping-up the major version)
- It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496
Bug Fixes
- Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
- In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
- Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394
2.14.0
2.13.4
2.13.4
- Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
- Update to MSAL 4.56.0, which now
enables the cache synchronization by default - Support for .NET 8 preview 7. See PR #2430
Bug fixes
- In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #2417
- Fix to accomodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #2420
- Improved the usability of IDownstreamApi by checking all
HttpResponse
for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #2426 - Improvement/Fix of OWIN scenarios, especially the session with B2C: #2388
- Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #2411
- Fix a bug that is now surfaced by the .NET 8 runtime. See issue #2448
- Added a lock while loading credentials. See issue #2439
Fundamentals
- performance improvements: #2414
- Replaced Selenim with Playwright for more reliable faster UI tests. See issue #2354
- Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #1900
- Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #244