3.1.0

3.1.0

• Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

• Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #2977 for details.

Bug fixes:

• For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #2887 for details.
• Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #2954 for details.
• Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #2879 for details.
• Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #2962 for details.

Fundamentals:

• Fix flakey tests: #2972, #2984, #2982,
• Update to AzureKeyVault@2 in AzureDevOps, #2981.
• Update to .NET 9-preview7, #2980 and #2991.
• It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #2974, #2990

What's Changed

• Add X5C to MSAuth POP by @bgavrilMS in #2950
• Update CSPROJ with README by @localden in #2956
• Fix Instance/Tenant Parsing for V2 Authority by @jackj-msft in #2954
• Check that regex succeeded and value is an integer. by @brentschmaltz in #2958
• Set upper bound on Abstractions by @westin-m in #2962
• Removing 2.x versions post 3.0.0-preview1 by @JoshLozensky in #2967
• Fix test instability by @keegan-caruso in #2971
• Fix AT POP tests by @keegan-caruso in #2972
• Update to net 9 preview 7 by @westin-m in #2980
• Updating AzureKeyVault task to version 2 by @JoshLozensky in #2981
• [test] updates for one build by @jennyf19 in #2974
• Disable ciam test by @keegan-caruso in #2983
• Ensure that SimulateOidc is built before IntegrationTests (that use it) by @jmprieur in #2984
• skip more CIAM E2E tests by @jennyf19 in #2985
• remove grpc in E2E test by @jennyf19 in #2986
• Jennyf/fix slice by @jennyf19 in #2988
• reenable other ciam test by @jennyf19 in #2989
• Jennyf/client sem ver by @jennyf19 in #2990
• Fix Id Web Build by @FuPingFranco in #2991
• Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors and AppContextSwitches for fallback by @pmaytak in #2977

New Contributors

• @localden made their first contribution in #2956
• @jackj-msft made their first contribution in #2954

Full Changelog: 3.0.1...3.1.0

3.0.1

3.0.1

• Updated to Microsoft.IdentityModel.* 8.0.1

2.21.0

2.21.0

• Updated to Microsoft.IdentityModel 7.7.0

CVE package updates

CVE-2024-30105

3.0.0

3.0.0

CVE package updates

CVE-2024-30105

• See PR #2929 for details.

• Updated to Microsoft.IdentityModel.* 8.0.0, Microsoft.Identity.Lab API 1.0.2, Microsoft.Identity.Abstractions 6.0.0

• See rel/v2 changelog for full list of added features to 3.0.0.

Fundamentals:

• Update lab cert and lab version. See PR #2923 for details.

2.20.0

2.20.0

• Updated to Microsoft.Identity.Abstractions 6.0.0 which adds one method to IAuthorizationHeaderProvider

New features

• Implements the updated IAuthorizationHeaderProvider interface (the new method CreateAuthorizationHeaderForAppAsync). See issue #2907
• If an IMsalHttpClientFactory is added to the service collection, it's not used by IdWeb token acquisition. See issue #2911
  This will be use to enable some IPv6 scenarios.

Bug fixes

• Fix metadata address creation when using AddMicrosoftIdentityWebApp. See issue #2752
• Use MSAL.NET instead of DefaultAzureCredential for Federation identity credentials scenario. See 2894

Fundamentals

• Updating Lab Api to 0.13.3

3.0.0-preview3

3.0.0-preview3

• Updated to Microsoft.IdentityModel.* 8.0.0-preview3

3.0.0-preview2

3.0.0-preview2

• Updated MSAL .Net to 4.61.3
• Updated Azure.Identity to 1.11.4

New features:

• Change GetSignedAssertion public API. See issue #2853 for details.
• Update to latest .NET 9 preview 4. See issue #2877 for details.

2.19.1

2.19.1

• Updated MSAL .Net to 4.61.3
• Updated Azure.Identity to 1.11.4

2.19.0

2.19.0

• Updated to Microsoft.IdentityModel.* 7.6.0

New features

• Id Web now provides a .WithUser() modifier to the Microsoft Graph queries (like WithAppOnly()). See issue #2855 for details.
• Id Web now provides a base class for implementing a custom IAuthorizationHeaderProvider. See issue #2856 for details.

Bug fixes

• Id Web now processes the extra query parameters when included as part of the authority. See issue #2697 for details.

2.18.2

2.18.2

New feature

• Target Microsoft.IdentityModel 7x in OWIN targets, see issue #2785 for details.

Bug fixes

• Id Web now accepts an env var to disable interactive auth for KeyVaultCertificateLoader, see issue #2647 for details.
• Id Web token acquisition on ASP.NET Core 2.x on net472 or net48 implements ITokenAquirerFactory, see issue #2849 for details.