7.6.0

7.6.0

New Features:

• Update JsonWebToken - extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #2581, #2583, and #2495 for details.

Bug Fixes:

• JWE header algorithm is now compliant to IANA document. See issue #2089 for details.

Performance Improvements:

• Reduce the number of internal array allocations that need to happen for each claim set, see PR #2596.

Fundamentals:

• Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #2598.
• Update perl scrip for OneBranch build. See PR #2602.
• Add langversion 12 to benchmark tests. See PR #2601.
• Removed unused build.cmd file. See PR #2605.
• Create CodeQL exclusions file. See PR #2609.
• Fix variable usage in AOT script. See PR #2610.
• Move Microsoft.IdentityModel.Tokens delegates to a new file. See PR #2606

7.5.2

7.5.2

Bug Fixes:

• Validate authentication tag length so a JWE with appended characters will not be considered a valid token. See issues #2201, #1641, PR #2569, and IDX10625 Wiki for details. By @kellyyangsong

Fundamentals:

• App Context Switches in Identity Model 7x are now documented here. By @kellyyangsong

Performance Improvements:

• In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in VerifyRsa/VerifyECDsa. See PR #2589 for more details. By @eerhardt
• Reduce allocations in ValidateSignature by using a collection expression instead of new List<SecurityKey> { key }, to optimize for the single element case. See PR #2586 for more details. By @eerhardt
• Remove Task allocation in AadIssuerValidator. See PR #2584 for more details. By @eerhardt

7.5.1

Performance Improvements:

• Use Base64.DecodeFromUtf8InPlace for base64 decode that saves 12% on token read time. Note that JsonWebToken no longer throws ArgumentOutOfRangeException and ArgumentException exceptions. See PR #2504. By @keegan-caruso.

Fundamentals:

• Moved token lifetime validation logic to an internal static class. See PR #2547. By @kellyyangsong.

Bug Fix:

• Contribution from @martinb69 to fix correct parsing of UserInfoEndpoint. See issue #2548 for details.

7.5.0

New Features:

Supports the 1.1 version of the Microsoft Entra ID Endpoint #2503

What's Changed

• Marcinzo/issuervalidatorv11 by @MZOLN in #2503

Full Changelog: v7.4.1...7.5.0

7.4.1

7.4.1

Bug Fixes:

• SamlSecurityTokenHandler and Saml2SecurityTokenHandler now can fetch configuration when validating SAML issuer and signature. See PR #2412
• JsonWebToken.ReadToken now correctly checks Dot3 index in JWE. See PR #2501

Engineering Excellence:

• Remove reference to Microsoft.IdentityModel.Logging in Microsoft.IdentityModel.Protocols, which already depends on it via Microsoft.IdentityModel.Tokens. See PR #2508
• Adjust uppercase json serialization tests to fix an unreliable test method, add consistency to naming. See PR #2512
• Disable the 'restore' and 'build' steps of 'build and pack' in build.sh, improving speed. See PR #2521

7.4.0

7.4.0

New Features:

• Introduced an injection point for external metadata management and adjusted the issuer Last Known Good (LKG) to maintain the state within the issuer validator. See PR #2480.
• Made an internal virtual method public, enabling users to provide signature providers. See PR #2497.

Performance Improvements:

• Added a new JsonWebToken constructor that accepts Memory for improved performance, along with enhancements to existing constructors. More information can be found in issue #2487 and in PR #2458.

Fundamentals:

• Resolved the issue of duplicated log messages in the source code and made IDX10506 log message more specific. For more details, refer to PR #2481.
• Enhanced Json serialization by ensuring the complete object is always read. This improvement can be found in PR #2491.

Engineering Excellence:

• Streamlined the build and release process by replacing the dependency on updateAssemblyInfo.ps1 with the Version property. Check out the details in PR #2494.
• Excluded the packing of Benchmark and TestApp projects for a more efficient process. Details available in PR #2496.

7.4.0-preview1

Performance Improvements:

• The existing JsonWebToken constructors now utilizes ReadOnlyMemory and Span to extract token segments, eliminating the need for string.split operations.
• A new constructor has been introduced that accepts ReadOnlyMemory of an encoded token. See issue #2487.

Performance Assessment on .NET 8:

• When using the preview version and opting for the constructor that accepts a string for the encoded token, the generation of a JWS yields a 3.95% decrease in memory usage, a 4.52% reduction in Gen0 and a 4.61% decrease in execution time compared to the latest release.
• The performance of the constructor that accepts ReadOnlyMemory is comparable to the constructor accepting a string for the encoded token, both for JWS and JWE.

Preview branch:

Dev (main) branch:

View the benchmarks here.

7.3.1

7.3.1

Bug Fixes:

• Replace propertyName with MetadataName constant. See issue #2471 for details.
• Fix 6x to 7x regression where mixed cases OIDC json was not correctly process. See #2404 and #2402 for details.

Performance Improvements:

• Update the benchmark configuration. See issue #2468.

Documentation:

• Update comment for azp in JsonWebToken. See #2475 for details.
• Link to breaking change announcement. See [#2478].
• Fix typo in log message. See [#2479].

7.3.0

New Features

Addition of the ClientCertificates property to the HttpRequestData class enables exposure of certificate collection involved in authenticating the client against the server and unlock support of new scenarios within the SDK. See PR #2462 for details.

Bug Fixes

Fixed bug where x5c property is empty in JwtHeader after reading a JWT containing x5c in its header, issue #2447, see PR #2460 for details.
Fixed bug where JwtPayload.Claim.Value was not culture invariant #2409. Fixed by PRs #2453 and #2461.
Fixed bug where Guid values in JwtPayload caused an exception, issue #2439. Fixed by PR #2440.

Performance Improvements

Remove linq from BaseConfigurationComparer, improvement #2464, for additional details see PR #2465.

Engineering Excellence

New benchmark tests for AsymmetricAdapter signatures. For details see PR #2449.

7.2.0

7.2.0

Performance Improvements:

Reduce allocations and transformations when creating a token #2395.
Update Esrp Code Signing version to speed up release build #2429.

Engineering Excellence:

Improve benchmark consistency #2428.
Adding P50, P90 and P100 percentiles to benchmarks #2411.
Decouple benchmark tests from test projects #2413.
Include pack step in PR builds #2442.

Fundamentals:

Improve logging in Wilson for failed token validation when key not found #2436.
Remove conditional Net8.0 compilation #2424.