See the releases for details on bug fixes and added features.
- Fix thread safety for
JsonClaimSetClaims andJsonWebTokenAudiences. See #2185 for details.
- Adding an AAD specific signing key issuer validator. See issue #2134 for details.
- Better support for WsFederation. See PR for details.
- Address perf regression introduced in 6.31.0. See PR for details.
This release contains work from the following PRs and commits:
- Introduce ConfigurationValidationException(#2076)
- Disarm security artifacts(#2064)
- Throw SecurityTokenMalformedTokenException on malformed tokens(#2080)
- Add ClaimsMapping to JsonWebTokenHandler
This release contains work from the following PRs:
- Modified token validation to be async throughout the call graph #2075
- Enforce key sizes when creating HMAC #2072
- Fix AotCompatibilityTests #2066
- Use up-to-date "now", in case take long time to get Metadata #2063
This release addresses #1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.
Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException
Indicate that a SecurityTokenDescriptor can create JWS or JWE AzureAD#2055 Specify 'UTC' in log messages https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/ceb10b10ad2edb97217e263915d407da1d957e03 Fix order of log messages https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/05eeeb513e66a4236ae519ef9304bf2b6f26766f
Fixed issues with matching Jwt.Kid with a X509SecurityKey.x5t AzureAD#2057 AzureAD#2061
Marked Exception that is no longer used as obsolete AzureAD#2060
Added support for AesGcm on .NET 6.0 or higher https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/85fa86af743e2b1a0078a9ecd956f34ee703acfc
First round of triming analysis preperation for AOT AzureAD#2042
Added new API on TokenHandler.ValidateTokenAsync(SecurityToken ...) implemented only on JsonWebTokenHandler. AzureAD#2056
- Add BootstrapRefreshInterval (#2052)
- Added net462 target (#2049)
- Create the configuration cache in the BaseConfigurationManager class (#2048)
- Add BootstrapRefreshInterval (#2052)
- Added net462 target (#2049)
- Create the configuration cache in the BaseConfigurationManager class (#2048)
- Update Wilson logs with aka.ms pointers to known wikis in AzureAD#2027
- Fix typo in documentation AzureAD#2034
- Introduce a LKG configuration cache to store each valid base configuration instead of a single entry of configuration AzureAD#2007
- Add encryption keys to base configuration AzureAD#2023
- Updated CHANGELOG link AzureAD#2026
Servicing release Set maximum depth for Newtonsoft parsing. AzureAD#2024 Improve metadata failure message. AzureAD#2010 Validate size of symmetric signatures. AzureAD#2008 Added property TokenEndpoint to BaseConfiguration. AzureAD#1998
Releasing a Hotfix for Wilson 6.26.0 that reverts async/await changes made in #1996 to address a performance reduction issue.
- Changes are in #2015
- Root cause analysis and fix will be tracked in #2017
Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:
System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens. Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient. When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.
Unmasked non-PII properties in log messages - In Microsoft.IdentityModel logs, previously only system metadata (DateTime, class name, httpmethod etc.) was displayed in clear text. For all other log arguments, the type was being logged to prevent Personally Identifiable Information (PII) from being displayed when ShowPII flag is turned OFF. To improve troubleshooting experience non-PII properties - Issuer, Audience, Key location, Key Id (kid) and some SAML constants will now be displayed in clear text. See issue #1903 for more details.
Prefix Wilson header message to the first log message - To always log the Wilson header (Version, DateTime, PII ON/OFF message), EventLogLevel.LogAlways was mapped to LogLevel.Critical in Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter class which caused confusion on why header was being displayed as a fatal log. To address this, header is now prefixed to the first message logged by Wilson and separated with a newline. EventLogLevel.LogAlways has been remapped to LogLevel.Trace. See issue #1907 for more details.
Copy the IssuerSigningKeyResolverUsingConfiguration delegate in Clone() #1909