2.17.1

2.17.1

• Updated to Microsoft.IdentityModel.* 7.4.0

New features

• DownstreamApi now automatically processes claims challenge from web APIs which are CAE enabled, provided you set "ClientCapablities" : ["cp1"] in the configuation. See issue #2550.

Bug fixes

• Fixes the use of ServiceDescriptor for containers which have keyed services present. This can be an issue on .NET 8.0. See issue #2676 for details.

Engineering excellence

• Calls to ConfidentialClientApplicationBuilderExtension.WithClientCredentials are fully async. See issue #2566 for details.

2.17.0

2.17.0

• Updated to Microsoft.IdentityModel.* 7.3.1 and MSAL.NET 4.59.0

New features

• Added support for Microsoft.NET.Sdk.Worker. See Worker calling APIs
• Added support for Managed identity when calling a downstream API on behalf of the app. See Calling APIs with Managed Identity and PR 2650. For details see PR #2645

Bug fixes

• In OWIN applications, GetTokenForUserAsync now respects the ClaimsPrincipal. See issue #2629 for details.
• After setting AddTokenAcquisition(useSingleton:true) to use token acquisition as a singleton, if you use .AddMicrosoftGraph and/or .AddDownstreamApi after this call,
  the GraphServiceClient and IDownstreamApis are now registered as a singleton service. For details see PR #2645
• Added check Against Injection Attacks. For details see PR 2619

Engineering excellence

• Added a benchmark running on PR merges, available from https://azuread.github.io/microsoft-identity-web/benchmarks on GitHub pages

2.16.1

2.16.1

• Update Microsoft.Identity.Abstractions 5.1.0 and Microsoft.IdentityModel.* 7.1.2

Bug Fixes

• In OWIN, Id Web now respects the passed in user argument. See issue #2585 for details.

2.16.0

Leverage IdentityModel 7.x on all .NET core frameworks.

2.15.5

2.15.5

• Update to .NET 8 GA
• Update to Microsoft.Graph 5.34.0

Bug Fixes

• Fixes an issue where users were not able to override ICredentialsLoader. See #2564 for details.
• The latest patch version is no longer used in dependencies, as it made builds non-deterministic. See #2569 for details.
• Removed dependencies that were no longer needed. See #2577 for details.
• Fixes an issue where the build did not look up project names as package dependencies. See #2579 for more details.

Fundamentals

• Enable baseline package validation, see #2572 for details.
• Improve trimmability on .NET 8, see #2574 for details.

2.15.3

2.15.3

• Update Azure.Identity library to 1.10.2 for CVE-2023-36414.

Bug Fixes:

• Microsoft.Identity.Web honors the user-provided value for the cache expiry for in-memory cache. See #2466 for details.

2.15.2

2.15.2

• For the .NET 8 rc2 target framework, the IdentityModel dependencies have been updated to Identity.Model.*.7.0.3.

Bug Fixes

• Fixes a regression introduced in 2.15.0 where the OnTokenValidated delegates were no longer chained with an await. See issue#2513.

2.15.1

2.15.1

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

New features

• TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480

Experimental API

(to get feedback, could change without bumping-up the major version)

• It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496

Bug Fixes

• Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
• In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
• Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394

2.14.0

• Update to Abstractions 5.0.0
• Include new OpenIdConnect options from net 8. See PR #2462

Bug Fixes

• Chain the OnMessageReceived event. See PR #2468

2.13.4

2.13.4

• Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
• Update to MSAL 4.56.0, which now
  enables the cache synchronization by default
• Support for .NET 8 preview 7. See PR #2430

Bug fixes

• In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #2417
• Fix to accomodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #2420
• Improved the usability of IDownstreamApi by checking all HttpResponse for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #2426
• Improvement/Fix of OWIN scenarios, especially the session with B2C: #2388
• Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #2411
• Fix a bug that is now surfaced by the .NET 8 runtime. See issue #2448
• Added a lock while loading credentials. See issue #2439

Fundamentals

• performance improvements: #2414
• Replaced Selenim with Playwright for more reliable faster UI tests. See issue #2354
• Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #1900
• Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #244