Chore | upgrade Azure Identity from 1.5.0 to 1.6.0

[lcheunglci]

As mentioned in #1601 , We can upgrade Azure Identity from 1.5.0 to 1.6.0 and it's dependency Microsoft.Identity.Client from 4.30.1 to 4.43.2

[AraHaan]

Btw take a look at the other dependency updates here as well (as there are others that are outdated)

#1536

note: with all of these updated: dotnet list package --vulnerable returns that there should be no vulnerable packages (could have it also check the dependencies of the packages as well too).

[lcheunglci]

Thanks @AraHaan just noticed the same changes are in your PR, so I'm closing this one.

[AraHaan]

I made those changes temporarily but I could rebase it to remove the package updates on it (to not block the updates to the packages).

That separate pr is blocked at least until .NET 6 is added to the CI.

[AraHaan]

Anyways I think updating the JsonWebTokens and OpenIdConnect to 6.17.0 should make this pr pass (hopefully). At least it does build on me locally.

[lcheunglci]

ok, so the #1536 is blocked until the MDS project is upgraded to .NET6. I ran the dotnet list package -vulnerable and it didn't show OpenIdConnect and JsonWebTokens listed with vulnerabilities, and it builds fine with or without the upgrade from 6.8.0 to 6.17.0. @JRahnama any thoughts, and shall I reopen this PR and should I include the OIDC and JWT upgrade?

[JRahnama]

yes please, reopen this PR and check for other dependencies related to this change.

[AraHaan]

@lcheunglci still working on finding the other dependencies related to this change?

They should be the Microsoft.IdentityModel.* dependencies I believe.

[lcheunglci]

@lcheunglci still working on finding the other dependencies related to this change?

They should be the Microsoft.IdentityModel.* dependencies I believe.

Thanks for the suggestion. In terms of dependencies directly affected by Azure.Identity upgrade from 1.5.0 to 1.6.0, only Microsoft.Identity.Client and Azure.Core were affected to upgrade the required minimum versions. Microsoft.IdentityModel.JsonWebTokens and Microsoft.IdentityModel.Protocols.OpenIdConnect are not directly referenced in it, so the upgrade for them from 6.8.0 to 6.17.0 isn't required at the moment. As for whether or not they should be upgraded, I checked with @JRahnama and he said we should keep this upgrade to a minimum to avoid any untested side effects, so I'll hold off on it at the moment.

[AraHaan]

Sounds good, those can be upgraded in a follow up pr to ensure they get tested.

[AraHaan]

Hopefully this gets merged soon so the follow up pr can happen before the end of preview.3's development stage.

[AraHaan]

Any ETA on when this will get merged?

[AraHaan]

@lcheunglci is the follow up pr in the works now to update the Microsoft.IdentityModel.* dependencies as well?

[lcheunglci]

@lcheunglci is the follow up pr in the works now to update the Microsoft.IdentityModel.* dependencies as well?

I did try to upgrade both the Microsoft.IdentityModel.OpenIdConnect and JsonWebTokens locally, and it worked fine on the netcore project; however, it kept giving an error when it tries to restore the package Microsoft.IdentityModel.Abstrations which doesn't exist in the azure repo, so I was holding off until that's resolved until I opened a new PR for those upgrades

[lcheunglci]

I think I found out why. The nuget repo that the solution/project points to i.e. azure nuget repo https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json does not contain the required dependency Microsoft.IdentityModel.Abstrations; however, the nuget public repo does https://api.nuget.org/v3/index.json contain it. I wonder if there was a reason behind not using the nuget public repo and using the azure nuget repo instead.