Bump Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt#44
Closed
dependabot[bot] wants to merge 58 commits into
Closed
Bump Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt#44dependabot[bot] wants to merge 58 commits into
dependabot[bot] wants to merge 58 commits into
Conversation
- GrpcChannelManager: explicit HTTP/2 handler + AppContext switch for h2c - AgentGateway Kestrel: split HTTP/2 (9444) and HTTP/1 (9445) endpoints - Helm chart: add apiPort for agent-gw, broker uses API port for REST - New AgentAutoRegistrationHostedService in Transport project - Hostname/ServiceName JsonConverter attributes for proper serialization - MachineRepository: fix EF Core entity tracking conflict in UpdateAsync - Docker compose: Kestrel endpoint env vars, split ports - New Blazor pages: MachineDetail, Admin, Audit, Credentials, Jobs, Patching, Services
- Add global.imagePullSecret config to values.yaml - Create docker-registry secret template in secrets.yaml - Add imagePullSecrets to all 5 deployment pod specs - Add dockerconfigjson helper to _helpers.tpl
- Change agent-gw liveness/readiness probes from gRPC to HTTP (/healthz, /readyz on apiPort) - Add retry logic to AgentAutoRegistrationHostedService.ExecuteAsync to handle agent-gw startup ordering
…gration, CI/CD fixes - Rewrite AuditLoggerService with HMAC-SHA256 chain (ChainVersion=1) - AuditOptions with HmacKey injection and ValidateOnStart - EF migration: AddAuditChainVersion (ChainVersion INT DEFAULT 0) - POST /api/audit/verify-chain endpoint - Rewrite CredentialVaultService: encrypted vault.dat, AES-GCM, Argon2id KDF, random salt per password, HMAC password sentinel, atomic writes, SemaphoreSlim concurrency - Add VaultOptions and VaultCrypto EncryptDirect/DecryptDirect - Pin Tmds.DBus.Protocol to 0.21.3 (CVE-2026-39959) - Fix AuthService: EnsureCreatedAsync -> MigrateAsync (migration race) - Fix Dockerfiles: missing COPY entries, /app/logs mkdir/chown - Fix docker-compose: all ports bound to 127.0.0.1, TrustServerCertificate for internal Docker network, vaultdata volume, broker depends_on auth - Fix CI: HM_BOOTSTRAP_ADMIN_ENABLED=true for smoke test stack startup; pass admin credentials env vars to Run platform smoke tests step - Redact exposed vault key from security-report.md - Add deploy/docker/.env.example and scripts/New-Secrets.ps1 - Add SCA job to ci.yml; all 8 platform secrets as GitHub secrets refs - Fix Auth.Tests: SqliteConnection.ClearAllPools() to release handles - Fix platform smoke tests: agent-gw port 9444->9445; read admin credentials from env rather than hardcoded defaults - Security headers, rate limiting, JWT audience, non-root Docker user, image tag pinning, SSH StrictHostKeyChecking, WinRM encoding fixes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Platform smoke tests require Docker Compose stack running — they are already covered by the dedicated Platform Smoke Tests job. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove empty Vault:StoragePath override in Broker appsettings.json that caused OptionsValidationException on startup, breaking all Web.Tests - Migrate automation test classes from shared in-memory SqliteConnection to file-based SQLite with WAL mode + busy_timeout to eliminate concurrent thread-unsafe connection access - Add InternalsVisibleTo for test assembly to enable IAnsibleHandoffService mocking in timeout simulation tests - Fix AutomationTimeoutSimulationTests with DirectProcessHandoffService that bypasses ansible workspace path resolution (fails in CI) and replicates timeout CTS logic - Extract IAgentApiKeyValidator interface; register PassthroughAgentApiKeyValidator in TestAgentGatewayHost to fix gRPC AgentGatewayGrpcService activation - Migrate AuthHostWebApplicationFactory from in-memory to file-based SQLite - Add AddAuthTables migration to HomeManagement.Data (SQLite-compatible) to create missing auth schema tables that only existed in SQL Server migrations - Disable parallel test execution in Web.Tests assembly to prevent logger freeze when WebApplicationFactory hosts build concurrently Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
….26 (#28) --- updated-dependencies: - dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer dependency-version: 8.0.26 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anticow <anticow@gmail.com>
Bumps Google.Protobuf from 3.28.3 to 3.34.1 Bumps Grpc.AspNetCore from 2.67.0 to 2.76.0 Bumps Grpc.Net.Client from 2.67.0 to 2.76.0 Bumps Grpc.Tools from 2.67.0 to 2.80.0 --- updated-dependencies: - dependency-name: Google.Protobuf dependency-version: 3.34.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grpc - dependency-name: Grpc.AspNetCore dependency-version: 2.76.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grpc - dependency-name: Grpc.Net.Client dependency-version: 2.76.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grpc - dependency-name: Grpc.Tools dependency-version: 2.80.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grpc ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anticow <anticow@gmail.com>
* Bump the testing group with 5 updates Bumps coverlet.collector from 6.0.2 to 10.0.0 Bumps FluentAssertions from 7.0.0 to 8.9.0 Bumps Microsoft.NET.Test.Sdk from 17.12.0 to 18.4.0 Bumps xunit from 2.9.2 to 2.9.3 Bumps xunit.runner.visualstudio from 2.8.2 to 3.1.5 --- updated-dependencies: - dependency-name: coverlet.collector dependency-version: 10.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: testing - dependency-name: FluentAssertions dependency-version: 8.9.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: testing - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: testing - dependency-name: xunit dependency-version: 2.9.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: testing - dependency-name: xunit.runner.visualstudio dependency-version: 3.1.5 dependency-type: direct:production update-type: version-update:semver-major dependency-group: testing ... Signed-off-by: dependabot[bot] <support@github.com> * fix: update FluentAssertions v8 renamed comparison assertion methods FluentAssertions v8 renamed 'OrEqualTo' suffix variants to 'ThanOrEqualTo': - BeLessOrEqualTo -> BeLessThanOrEqualTo - BeGreaterOrEqualTo -> BeGreaterThanOrEqualTo - HaveCountGreaterOrEqualTo -> HaveCountGreaterThanOrEqualTo Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anticow <anticow@gmail.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps Quartz from 3.13.1 to 3.18.0 Bumps Quartz.Extensions.DependencyInjection from 3.13.1 to 3.18.0 Bumps Quartz.Extensions.Hosting from 3.13.1 to 3.18.0 --- updated-dependencies: - dependency-name: Quartz dependency-version: 3.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: quartz - dependency-name: Quartz.Extensions.DependencyInjection dependency-version: 3.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: quartz - dependency-name: Quartz.Extensions.Hosting dependency-version: 3.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: quartz ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anticow <anticow@gmail.com>
--- updated-dependencies: - dependency-name: System.Reactive dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anticow <anticow@gmail.com>
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4 to 5. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [dorny/test-reporter](https://github.com/dorny/test-reporter) from 1 to 2. - [Release notes](https://github.com/dorny/test-reporter/releases) - [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md) - [Commits](dorny/test-reporter@v1...v2) --- updated-dependencies: - dependency-name: dorny/test-reporter dependency-version: '2' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--- updated-dependencies: - dependency-name: NSec.Cryptography dependency-version: 25.4.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: anticow <anticow@gmail.com>
Eliminates Node.js 20 deprecation warning on all Docker build jobs. v4 uses Node.js 24, which is the upcoming GitHub Actions default. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Eliminates remaining Node.js 20 deprecation warnings in CI. Both actions now use Node.js 24 runtimes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- actions/checkout v4 -> v6 (security-guards + dependency-scan jobs) - actions/setup-dotnet v4 -> v5 (dependency-scan job) - dorny/test-reporter v2 -> v3 - docker/login-action v3 -> v4 - softprops/action-gh-release v2 -> v3 Eliminates all Node.js 20 deprecation warnings across ci.yml and release.yml. All GitHub Actions runner actions now use Node.js 24. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- HomeManagement.Integration.Action1 - Action1Client: full REST API client (endpoints, patches, deployments, software) - Action1PatchService: implements IPatchService via Action1 API with hostname/tag fallback - Action1WebhookEndpoints: POST /api/action1/webhook with HMAC-SHA256 validation - Action1SyncJob: Quartz reconciliation job (15-min interval, configurable) - Action1IntegrationRegistration: DI wiring + DisabledAction1PatchService no-op - Machine identity mapped via tags[action1:endpoint_id] with hostname fallback - HomeManagement.Integration.Prometheus - PrometheusClient: typed HttpClient with graceful degradation (empty on error) - PromQL: complete query builders for Windows (windows_exporter) + Linux (node_exporter) - PrometheusEndpointStateProvider: service state, availability, metrics (CPU/RAM/disk/uptime) - PrometheusIntegrationRegistration: DI wiring + DisabledPrometheusEndpointStateProvider - Broker.Host wired up: - services.AddAction1Integration(configuration) - services.AddPrometheusIntegration(configuration) - app.MapAction1WebhookEndpoints() Full solution: 0 warnings, 0 errors Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add IEndpointStateProvider to HomeManagement.Abstractions (GetServiceStateAsync, GetEndpointOnlineAsync, GetHardwareMetricsAsync) - PrometheusEndpointStateProvider implements IEndpointStateProvider (Prometheus-first state reads; non-sealed for disabled subclass override) - ServiceControllerService: Prometheus-first service state, falls back to agent - InventoryService: Prometheus-first hardware metrics, falls back to remote cmd - PatchingModuleRegistration: no longer registers IPatchService (conflict guard) - PatchService + IPatchStrategy marked [Obsolete]; Patching csproj NoWarn'd - Patching.Tests csproj: NoWarn CS0618 to keep legacy contract tests building - Build: 0 warnings, 0 errors Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- PlatformHealthEndpoint: fans out parallel checks to all 9 components (Broker, Auth, Web, AgentGateway, Seq, Prometheus, Grafana, ArgoCD, AWX) - Returns clean HTML dashboard (browser) or JSON (API/uptime monitors) - Auto-refreshes every 30 s; Verbose log level (no noise) - HTTP-only ingress at health.cowgomu.net/platform-health, no TLS, no auth - Only /platform-health path exposed; rest of gateway stays HTTPS-only - Platform health URLs injected via Helm env vars (overridable per env) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Pin OpenTelemetry.Api 1.15.3 (patches GHSA-g94r-2vxg-569j / Moderate) - Bump all OpenTelemetry.* packages to latest: Extensions.Hosting 1.15.3, Instrumentation.AspNetCore 1.15.2, Http 1.15.1, Runtime 1.15.1, Prometheus 1.15.3-beta.1, GrpcNetClient 1.15.1-beta.1 - Apply dotnet format to PlatformHealthEndpoint.cs and 4 pre-existing files Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
CorrelationIdMiddleware requires ICorrelationContext via constructor injection, but the Gateway never registered it (unlike other hosts which get it via AddHomeManagement()). All gateway requests returned 500 causing all smoke tests to fail. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add docker/login-action@v3 for mcr.microsoft.com in both docker-build-validate and platform-smoke-tests jobs (MCR rate-limits anonymous pulls from GH Actions runner IPs) - Add docker/setup-buildx-action to platform-smoke-tests so compose build uses BuildKit with the authenticated session - Wire type=gha cache-from/cache-to per-image in docker-build-validate so SDK/runtime layers are not re-pulled on every run Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
docker/build-push-action@v7 enables provenance attestations by
default. BuildKit then makes extra manifest HEAD requests back to
mcr.microsoft.com which MCR rejects with 403 (anonymous HEAD not
allowed for attestation endpoints).
Adding docker/login-action without credentials caused a second failure
('Username and password required'). MCR is a public registry - no
credentials exist to supply.
Fix: set provenance: false on the build step to suppress the
attestation manifest requests entirely. The GHA layer cache is kept
so SDK/runtime layers are not re-pulled on every run.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Same issue as Gateway (1af9142) — CorrelationIdMiddleware injects ICorrelationContext via method injection but neither host calls AddHomeManagement() which is where the registration lives. All 5 hosts now explicitly register ICorrelationContext: - Broker/Auth: via AddHomeManagement() (already correct) - Gateway/Web/AgentGateway: direct AddSingleton registration added Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The health ingress only routed /platform-health so hitting the root returned a nginx 404. Use app-root annotation to issue a 302 for bare / requests, and broaden the path rule to Prefix / so the redirect and the health page both work from the same ingress. The gateway still enforces JWT auth on all proxied routes so broadening the path rule does not expose unprotected endpoints. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prevents MCR 403 during base image manifest resolution in release pipeline — same root cause as the CI fix in f42f45a. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Seq: change health check URL from port 5341 (ingestion) to /api on port 80 (REST API). The ingestion port has no HTTP root handler, causing 404. - ArgoCD: configure platform-health HttpClient to bypass SSL cert validation. ArgoCD server redirects HTTP->HTTPS and uses a self-signed cluster cert that is not in the pod trust store. These URLs are cluster-internal only — never user-facing traffic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix ArgoCD health URL: use https:// directly to avoid HTTP->HTTPS
redirect round-trip (SSL cert bypass already configured in HttpClient)
- Add version information to /platform-health:
- Gateway version shown in page header (from APP_VERSION env var)
- New 'Version' column in service table
- HM services (Broker, Auth, Web, AgentGateway): query /version endpoint
- Grafana: parse version from /api/health response body
- AWX: parse version from /api/v2/ping/ response body
- ArgoCD: secondary call to /api/version
- Prometheus: secondary call to /api/v1/status/buildinfo
- Version lookup is best-effort — never affects health status
- Add APP_VERSION env var to all 5 Helm deployment templates
(resolved from per-service image.tag, falls back to global.imageTag)
- Add /version endpoint to Broker, Auth, AgentGateway, Web host programs
(returns {version: APP_VERSION}, anonymous + excluded from descriptions)
- Add 15-second result cache to /platform-health to limit internal
fan-out traffic under external polling
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ArgoCD is deployed in insecure mode (plain HTTP on pod port 8080). The service maps both port 80 and 443 to pod port 8080, so connecting to https://argocd-server... triggers a TLS handshake against a plain HTTP listener, causing 'SSL connection could not be established'. Switch to http://argocd-server.argocd.svc.cluster.local:80/healthz which matches the actual pod protocol. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Services like ArgoCD (secure mode) redirect HTTP:80 -> HTTPS:443. With AllowAutoRedirect=true the health client followed these redirects, re-triggering SSL errors when the HTTPS backend has cert issues. Fix: - AllowAutoRedirect=false: stops redirect-chasing - 3xx responses classified as 'Healthy' (service is alive and redirecting) - 4xx classified as 'Degraded' (service up but returning client errors) - 5xx and exceptions remain 'Unhealthy' Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- PlatformHealthEndpoint: query Kubernetes in-cluster API for pod start times (get/list pods in homemanagement namespace), enriching each service row with a Pod Age column (hover tooltip shows exact UTC time) - Gateway's own process start time shown in the page subtitle so restarts are immediately visible without inspecting kubectl - Added k8s-api named HttpClient in Program.cs (5s timeout, bypasses self-signed in-cluster cert) - New deploy/helm/homemanagement/templates/rbac.yaml: Role + RoleBinding granting default service account get/list on pods (namespace-scoped only) - FormatAge helper formats durations as e.g. 2d 3h, 5h 12m, 47m - All K8s lookups are best-effort: any failure silently omits pod age data without affecting health check results Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…per in rbac.yaml Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Introduced new models for authentication including AuthUser, AuthResult, and LoginRequest. - Implemented IJwtTokenService and IPasswordPolicy interfaces for JWT handling and password validation. - Created DefaultPasswordPolicy class to enforce password strength requirements. - Developed AuthUserRepository, AuthRoleRepository, and AuthRefreshTokenRepository for user and role management. - Added contract tests for AuthService to ensure correct delegation to IJwtTokenService and IPasswordPolicy. - Implemented unit tests for DefaultPasswordPolicy to validate password strength logic. - Updated various automation tests to include new dependencies and models. - Enhanced application builder extensions for security headers and health endpoints.
Bumps Microsoft.IdentityModel.Tokens to 8.17.0 Bumps System.IdentityModel.Tokens.Jwt to 8.17.0 --- updated-dependencies: - dependency-name: Microsoft.IdentityModel.Tokens dependency-version: 8.17.0 dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: System.IdentityModel.Tokens.Jwt dependency-version: 8.17.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
bcef9fe to
84daf64
Compare
Contributor
Author
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
Contributor
Author
|
Superseded by #46. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pinned Microsoft.IdentityModel.Tokens at 8.17.0.
Release notes
Sourced from Microsoft.IdentityModel.Tokens's releases.
8.17.0
Dependencies
8.16.0
New Features
Fundamentals
8.15.0
New Features
X509SecurityKeyandJsonWebKeyConverter.ConvertFromX509SecurityKeyExtended
X509SecurityKeyandJsonWebKeyConverter.ConvertFromX509SecurityKeyto support ECDSA keys.See PR #2377 for details.
Bug Fixes
Updated logging to sanitize sensitive values, reducing the risk of inadvertently exposing secrets or PII in logs.
See PR #3316 for details.
SearchValuesImproved the performance of the log sanitization logic introduced earlier by using
SearchValues, making sanitization more efficient in high-throughput scenarios.See PR #3341 for details.
IDX10400Adjusted the
IDX10400test to align with the current behavior and error messaging.See PR #3314 for details.
Fundamentals
Added new tests to validate the set of supported cryptographic algorithms, increasing confidence in algorithm coverage and compatibility.
See PR #3296 for details.
.clinerulestoagents.mdMoved repository agent/AI-assist rules into markdown documentation to make them more visible and easier to maintain.
See PR #3313 for details.
Microsoft.IdentityModel.TestExtensionsfrom Newtonsoft.Json to System.Text.JsonUpdated
Microsoft.IdentityModel.TestExtensionsto useSystem.Text.Jsoninstead ofNewtonsoft.Json, aligning tests with the runtime serialization stack.See PR #3356 for details.
Turned off automated code coverage comments on PRs to reduce noise while retaining coverage data elsewhere.
See PR #3349 for details.
Addressed CodeQL-reported issues to improve security posture and static analysis cleanliness.
See PR #3364 for details.
.NET 10 / SDK and tooling updates
Updated the repository to build and test against .NET 10.0 preview/RC1, ensuring early compatibility with the upcoming runtime.
See PRs #3287, #3357, and #3358 for details.
Ensured consistent use of the
TargetNetNextparameter across build, test, and pack phases so .NET 10.0 tests execute reliably.See PR #3337 for details.
Adjusted project files and CI workflows to correctly target and run on .NET 10.0, including test and pack scenarios.
See PR #3363 for details.
Updated the .NET version references to be compliant with corporate governance (CG) requirements.
See PR #3353 for details.
CoverletCollectorVersionto 6.0.4.See PR #3333 for details.
Microsoft.NET.Test.Sdkto a newer version for improved test reliability and tooling support.... (truncated)
8.14.0
8.14.0
Bug Fixes
ValidationResultinstead ofOperationResultwhen validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See #3299 for details.8.13.1
8.13.1
Dependencies
Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0
Bug Fixes
Work related to redesign of IdentityModel's token validation logic #2711
8.13.0
8.13.0
8.13.0
Fundamentals
CaseSensitiveClaimsIdentity.SecurityTokensetter is now protected internal (was internal). See PR #3278 for details.What's Changed
New Contributors
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.12.1...8.13.0
8.12.1
8.12.1
Fundamentals
What's Changed
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.12.0...8.12.1
8.12.0
8.12.0
New Features
Added event handling capabilities to the
ConfigurationManager, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see #3253Bug Fixes
Introduced the expected overload of
Base64UrlEncoder.Decodefor .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks.For details see #3249
Fundamentals
Incorporated AI assist rules to enhance AI agents effectiveness.
For details see #3255
Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
For details see #3256
Centralized suppression of RS006 warnings in project files for easier management.
For details see #3230
What's Changed
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.11.0...8.12.0
8.11.0
8.11.0
New Features:
JsonWebTokenHandler.DecryptTokenWithConfigurationAsync, which decrypts a JWE token using keys from eitherTokenValidationParametersor, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR #3243 for details.What's Changed
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.10.0...8.11.0
8.10.0
8.10.0
Bug Fixes
Fundamentals
8.9.0
8.9.0
Bug Fixes
New Features
Fundamentals
8.8.0
8.8.0
New Features
Switch.Microsoft.IdentityModel.UpdateConfigAsBlockingswitch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #3193 for details.Switch.Microsoft.IdentityModel.DoNotScrubExceptionsAppContextSwitch. See PR #3195 and https://aka.ms/identitymodel/app-context-switches for details.System.Thread.Lockobjects for .NET 9 or greater. See PRs #3185 and #3189 for details.8.7.0
Bug Fixes
IsRecoverableExceptionandIsRecoverableExceptionTypewhose signatures were changed in the previous version. See #3181.New Features
Cnfclass public and move it to Microsoft.IdentityModel.Tokens package. See #3165.What's Changed
New Contributors
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.6.1...8.7.0
8.6.1
8.6.1
Bug fix
JsonWebTokenHandlerwhereJwtTokenDecryptionParameters'sAlgandEncwere not set during token decryption, causingIDX10611andIDX10619errors to show null values in the messages. See issue #3003 for details.Fundamentals
What's Changed
New Contributors
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.6.0...8.6.1
8.6.0
8.6.0
New Features
TryAllDecryptionKeysthat let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #3128Fundamentals
What's Changed
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.5.0...8.6.0
8.5.0
8.5.0
Reverting previous breaking change
What's Changed
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.4.0...8.5.0
8.4.0
8.4.0
New Features
Repair items
KeyIDshould be present in exception messages and is no longer PII. See #3104 for details.Fundamentals
Work related to redesign of IdentityModel's token validation logic #2711
8.3.1
8.3.1
Bug Fixes
AuthenticationEncryptionProvider.cs. See #3063Fundamentals
Work related to redesign of IdentityModel's token validation logic #2711
What's Changed
New Contributors
... (truncated)
8.3.0
New features
Work related to redesign of IdentityModel's token validation logic #2711
Bug fixes
Fundamentals
New Contributors
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.2.1...8.3.0
8.2.1
8.2.1
New features
Bug fixes
Fundamentals
SecurityTokenDescriptor. See 2993.Work related to redesign of IdentityModel's token validation logic #2711
IssuerExtensibility. See 2987.What's Changed
New Contributors
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.2.0...8.2.1
8.2.0
8.2.0
Fundamentals
Work related to redesign of IdentityModel's token validation logic #2711
What's Changed
... (truncated)
8.1.2
What's Changed
Bug fixes
CaseSensitiveClaimsIdentityas expected, by @jennyf19 in return CaseSensitiveClaimsIdentity in clone AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2879Fundamentals
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.1.1...8.1.2
8.1.1
8.1.1
Bug fixes
What's Changed
Full Changelog: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8.1.0...8.1.1
8.1.0
8.1.0
Performance improvements
New features
Bug fixes
Fundamentals
IsTargetFrameworkCompatible(*)so AOT is forward-compatible with .NET 9 and beyond. See PR #2790 for details.[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #2820.
Work related to redesign of IdentityModel's token validation logic #2711
What's Changed
... (truncated)
8.0.2
8.0.2
Security fundamentals
BannedApiAnalyzersto prevent use ofClaimsIdentityconstructors. See PR #2778 for details.Bug fixes
UseRfcDefinitionOfEpkAndKidswitch. See PR #2747 for details.DoNotFailOnMissingTidin 7x andDontFailOnMissingTidin 8x, adding the method for back compat. See issue #2750 for details.JsonWebKeySetstores the original string it was created with. See PR #2755 for details.SignatureProvider. See #2788 for details.Fundamentals
9.0.100-preview.7.24407.12and add<NoWarn>$(NoWarn);SYSLIB0057</NoWarn>due to breaking changes in preview7. #2786.Work relating to #2711
What's Changed
Description has been truncated