See the releases for details on bug fixes and added features.
- Reduced allocations in
AadIssuerValidatorby not usingstring.Replacewhere appropriate. See issue #2595 and PR #2597 for more details.
- Update
JsonWebToken- extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #2581, #2583, and #2495 for details.
- JWE header algorithm is now compliant to IANA document. See issue #2089 for details.
- Reduce the number of internal array allocations that need to happen for each claim set, see PR #2596.
- Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #2598.
- Update perl scrip for OneBranch build. See PR #2602.
- Add langversion 12 to benchmark tests. See PR #2601.
- Removed unused build.cmd file. See PR #2605.
- Create CodeQL exclusions file. See PR #2609.
- Fix variable usage in AOT script. See PR #2610.
- Move
Microsoft.IdentityModel.Tokensdelegates to a new file. See PR #2606
- Validate authentication tag length so a JWE with appended characters will not be considered a valid token. See issues #2201, #1641, PR #2569, and IDX10625 Wiki for details.
- App Context Switches in Identity Model 7x are now documented here.
- In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in
VerifyRsa/VerifyECDsa. See PR #2589 for more details. - Reduce allocations in
ValidateSignatureby using a collection expression instead ofnew List<SecurityKey> { key }, to optimize for the single element case. See PR #2586 for more details. - Remove Task allocation in
AadIssuerValidator. See PR #2584 for more details.
- Use Base64.DecodeFromUtf8InPlace for base64 decode that saves 12% on token read time. Note that JsonWebToken no longer throws ArgumentOutOfRangeException and ArgumentException exceptions. See PR #2504.
- Moved token lifetime validation logic to an internal static class. See PR #2547.
- Contribution from @martinb69 to fix correct parsing of
UserInfoEndpoint. See issue #2548 for details.
- Supports the 1.1 version of the Microsoft Entra ID Endpoint #2503
SamlSecurityTokenHandlerandSaml2SecurityTokenHandlernow can fetch configuration when validating SAML issuer and signature. See PR #2412JsonWebToken.ReadTokennow correctly checks Dot3 index in JWE. See PR #2501
- Remove reference to
Microsoft.IdentityModel.LogginginMicrosoft.IdentityModel.Protocols, which already depends on it viaMicrosoft.IdentityModel.Tokens. See PR #2508 - Adjust uppercase json serialization tests to fix an unreliable test method, add consistency to naming. See PR #2512
- Disable the 'restore' and 'build' steps of 'build and pack' in
build.sh, improving speed. See PR #2521
- Introduced an injection point for external metadata management and adjusted the issuer Last Known Good (LKG) to maintain the state within the issuer validator. See PR #2480.
- Made an internal virtual method public, enabling users to provide signature providers. See PR #2497.
- Added a new JsonWebToken constructor that accepts Memory for improved performance, along with enhancements to existing constructors. More information can be found in issue #2487 and in PR #2458.
- Resolved the issue of duplicated log messages in the source code and made IDX10506 log message more specific. For more details, refer to PR #2481.
- Enhanced Json serialization by ensuring the complete object is always read. This improvement can be found in PR #2491.
- Streamlined the build and release process by replacing the dependency on updateAssemblyInfo.ps1 with the Version property. Check out the details in PR #2494.
- Excluded the packing of Benchmark and TestApp projects for a more efficient process. Details available in PR #2496.
- Replace propertyName with
MetadataNameconstant. See issue #2471 for details. - Fix 6x to 7x regression where mixed cases OIDC json was not correctly process. See #2404 and #2402 for details.
- Update the benchmark configuration. See issue #2468.
- Update comment for
azpinJsonWebToken. See #2475 for details. - Link to breaking change announcement. See [#2478].
- Fix typo in log message. See [#2479].
Addition of the ClientCertificates property to the HttpRequestData class enables exposure of certificate collection involved in authenticating the client against the server and unlock support of new scenarios within the SDK. See PR #2462 for details.
Fixed bug where x5c property is empty in JwtHeader after reading a JWT containing x5c in its header, issue #2447, see PR #2460 for details. Fixed bug where JwtPayload.Claim.Value was not culture invariant #2409. Fixed by PRs #2453 and #2461. Fixed bug where Guid values in JwtPayload caused an exception, issue #2439. Fixed by PR #2440.
Remove linq from BaseConfigurationComparer, improvement #2464, for additional details see PR #2465.
New benchmark tests for AsymmetricAdapter signatures. For details see PR #2449.
Reduce allocations and transformations when creating a token #2395. Update Esrp Code Signing version to speed up release build #2429.
Improve benchmark consistency #2428. Adding P50, P90 and P100 percentiles to benchmarks #2411. Decouple benchmark tests from test projects #2413. Include pack step in PR builds #2442.
Improve logging in Wilson for failed token validation when key not found #2436. Remove conditional Net8.0 compilation #2424.
See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.
- Fix errors like the following reported by multiple customers at dotnet/aspnetcore#51005 when they tried to upgrade their app using
AddMicrosoftIdentityWebAppto .NET 8. See PR for details. - Fix compatibility issue with 6x when claims are a bool. See issue #2354 for details.
- Resolved an issue where JsonWebToken properties would throw exceptions when the input string was 'null'. See PR#2335 for details.
- GetPayloadClaim("aud") returns a string when a single audience is specified, aligning with the behavior in 6.x. See PR#2331 for details.
See IdentityModel7x for the updates on this much anticipated release.
- Improve log messages. See PR #2289 for details.
- In
AadIssuerValidatorreturn aValueTask<string>instead of aTask<string>. See Issue #2286 and PR [#2287] for details. - Deprecate
int? JwtPayload.Exp,.Iat, and.Nbf. See issue #2266 for details, #92, and #1525. - General clean-up. See PR #2285.
- Add nullables to the properties in
WsFederationMessage. See issue #2240 for details. - Fix regression where
JsonWebToken.TryGetPayloadValue()was not compatible with dictionary types. See issue #2246 for details. - Fix regression where dictionary claims added to
SecurityTokenDescriptor.Claimsare no longer correctly serialized. See issue #2245 for details. - Fix regression with a Y2038 bug. See issue #2261 for details.
- Fix a regression where claims with multiple values are incorrectly serialized. See #2244 for details.
- Remove sync-over-async pattern with
JsonWebTokens.ValidateToken, which when in the hot path can lead to threadpool starvation. See issue #2253 for details. - Perf testing using benchmark dotnet and crank, similar to aspnetcore, to better gauge requests per second perf impacts. See issue #2232 for details.
- Use optimistic synchronization in
JsonWebToken.Audiences. See PR for details. - Reduce allocations when enumerating over collections. See PR for details.
- Fix description for JWT X5tS256 field.
- Improvements to the build script to accommodate .NET's source-build requirements. See PR for details.
- Replace Newtonsoft.Json with System.Text.Json, see #2233, and as a result, ASP.NET's JwtBearer auth handler will now be fully AOT compatible.
-
Series of perf improvements in collaboration with ASP .NET Core DevDiv team, results in improvements from 280K Request per second (RPS) in
7.0.0-previewto 370K RPS in7.0.0-preview2, with more improvements to come in later versions: #2195, #2194, #2193, #2192, #2190, #2188, #2184, #2181, #2180, #2178, #2175, #2172, #2171, #2170, #2169, #2168, #2167, #2166, #2164, #2162, #2161, #2160, #2159, #2158, #2221 -
First increment in replacing newtonsoft with System.Text.Json, see #2174
-
Reading and writing JsonWebKey and JsonWebKeySet types now use System.Text.Json.Utf8JsonReaders/Writers for serialization. See PR @2208 for details.
-
Remove the use of Newtonsoft from OpenIdConnectConfiguration and OpenIdConnectMessage. See PR @2214 for details.
-
Fix casing Properties directory in
updateAssemblyInfo.ps1script see, #2189 -
Add code coverage in ADO, see #2176
-
Add codeQL scanning for compliance, see #2151
Delisted from NuGet due to versioning inconsistency Include IdentityModel 6.32.0 release updates, including AAD specific signing key issuer validator and fix perf regression.
Join the 7x discussion and provide your feedback!
Relevant PRs for supporting .NET 8: #2108 #2121 #2122
Remove net45, see #2123
JwtSecurityTokenConverter, see #2117
- Fix logging messages. See #2288 for details.
- Underlying JsonDocument is never disposed, causing high latency in large scale services. See #2258 for details.
- Fix thread safety for
JsonClaimSetClaims andJsonWebTokenAudiences. See #2185 for details.
- Adding an AAD specific signing key issuer validator. See issue #2134 for details.
- Better support for WsFederation. See PR for details.
- Address perf regression introduced in 6.31.0. See PR for details.
This release contains work from the following PRs and commits:
- Introduce ConfigurationValidationException(#2076)
- Disarm security artifacts(#2064)
- Throw SecurityTokenMalformedTokenException on malformed tokens(#2080)
- Add ClaimsMapping to JsonWebTokenHandler
This release contains work from the following PRs:
- Modified token validation to be async throughout the call graph #2075
- Enforce key sizes when creating HMAC #2072
- Fix AotCompatibilityTests #2066
- Use up-to-date "now", in case take long time to get Metadata #2063
This release addresses #1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.
Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException
Indicate that a SecurityTokenDescriptor can create JWS or JWE #2055 Specify 'UTC' in log messages https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/ceb10b10ad2edb97217e263915d407da1d957e03 Fix order of log messages https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/05eeeb513e66a4236ae519ef9304bf2b6f26766f
Fixed issues with matching Jwt.Kid with a X509SecurityKey.x5t #2057 #2061
Marked Exception that is no longer used as obsolete #2060
Added support for AesGcm on .NET 6.0 or higher https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/85fa86af743e2b1a0078a9ecd956f34ee703acfc
First round of trimming analysis preparation for AOT #2042
Added new API on TokenHandler.ValidateTokenAsync(SecurityToken ...) implemented only on JsonWebTokenHandler. #2056
- Add BootstrapRefreshInterval (#2052)
- Added net462 target (#2049)
- Create the configuration cache in the BaseConfigurationManager class (#2048)
- Add BootstrapRefreshInterval (#2052)
- Added net462 target (#2049)
- Create the configuration cache in the BaseConfigurationManager class (#2048)
- Update Wilson logs with aka.ms pointers to known wikis in #2027
- Fix typo in documentation #2034
- Introduce a LKG configuration cache to store each valid base configuration instead of a single entry of configuration #2007
- Add encryption keys to base configuration #2023
- Updated CHANGELOG link #2026
Servicing release Set maximum depth for Newtonsoft parsing. #2024 Improve metadata failure message. #2010 Validate size of symmetric signatures. #2008 Added property TokenEndpoint to BaseConfiguration. #1998
Releasing a Hotfix for Wilson 6.26.0 that reverts async/await changes made in #1996 to address a performance reduction issue.
- Changes are in #2015
- Root cause analysis and fix will be tracked in #2017
Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:
System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens. Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient. When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.
Unmasked non-PII properties in log messages - In Microsoft.IdentityModel logs, previously only system metadata (DateTime, class name, httpmethod etc.) was displayed in clear text. For all other log arguments, the type was being logged to prevent Personally Identifiable Information (PII) from being displayed when ShowPII flag is turned OFF. To improve troubleshooting experience non-PII properties - Issuer, Audience, Key location, Key Id (kid) and some SAML constants will now be displayed in clear text. See issue #1903 for more details.
Prefix Wilson header message to the first log message - To always log the Wilson header (Version, DateTime, PII ON/OFF message), EventLogLevel.LogAlways was mapped to LogLevel.Critical in Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter class which caused confusion on why header was being displayed as a fatal log. To address this, header is now prefixed to the first message logged by Wilson and separated with a newline. EventLogLevel.LogAlways has been remapped to LogLevel.Trace. See issue #1907 for more details.
Copy the IssuerSigningKeyResolverUsingConfiguration delegate in Clone() #1909