Replace JsonWebToken ReadPayloadValue with a delegate by pmaytak · Pull Request #2981 · AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

pmaytak · 2024-11-05T18:01:32Z

This pull request introduces several updates and improvements to the Microsoft.IdentityModel.JsonWebTokens library, focusing on enhancing the handling of token payloads and custom claims. The most important changes include adding new constructors to the JsonWebToken class, updating the JsonClaimSet initialization, and introducing a new delegate for reading custom token payload values.

Enhancements to JsonWebToken:

Added new constructors to the JsonWebToken class to support initializing tokens with custom delegates for reading token payload values. (src/Microsoft.IdentityModel.JsonWebTokens/JsonWebToken.cs) [1] [2] [3]
Introduced the ReadTokenPayloadValueDelegates property to the JsonWebToken class, allowing custom handling of specific claim names during token reading. (src/Microsoft.IdentityModel.JsonWebTokens/JsonWebToken.cs)

Updates to TokenValidationParameters:

Added the ReadTokenPayloadValueDelegates property to the TokenValidationParameters class to support custom claim handling during token validation. (src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs) [1] [2]
Updated the copy constructor of TokenValidationParameters to include the new ReadTokenPayloadValueDelegates property. (src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs)

Refactoring and cleanup:

Refactored the ReadPayloadValue method in JsonWebToken.PayloadClaimSet to simplify the handling of standard claims and integrate custom delegate handling. (src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonWebToken.PayloadClaimSet.cs) [1] [2]
Removed the CustomJsonWebToken class from the tests, as its functionality is now covered by the new delegate-based approach. (test/Microsoft.IdentityModel.JsonWebTokens.Tests/CustomJsonWebToken.cs)

Delegate introduction:

Introduced the ReadTokenPayloadValueDelegate delegate to handle custom claim reading during token payload processing. (src/Microsoft.IdentityModel.Tokens/Delegates.cs)

pmaytak · 2024-11-07T20:35:15Z

Edit: These results are outdated.

Looks like when using delegates there're extra allocations because of:

string claimName = reader.GetString();
claims[claimName] = ReadTokenPayloadValueDelegate(ref reader, claimName);

Delegates	Method	Mean	Ratio	Error	StdDev	P90	P95	P100	Gen0	Allocated	Alloc Ratio
Without	JsonWebTokenHandler_ValidateTokenAsyncWithTVP	30.72 μs	1.000	0.026 μs	0.055 μs	30.79 μs	30.81 μs	30.89 μs	0.2441	7.23 KB	1.00
With	JsonWebTokenHandler_ValidateTokenAsyncWithTVP	30.66 μs	0.998	0.124 μs	0.273 μs	30.96 μs	31.02 μs	31.10 μs	0.3052	7.55 KB	1.044

Delegates	Method	Mean	Ratio	Error	StdDev	P90	P95	P100	Gen0	Allocated	Alloc Ratio
Without	ReadJWS_FromMemory	8.373 μs	1.00	0.0331 μs	0.0727 μs	8.465 μs	8.499 μs	8.530 μs	0.2289	5.84 KB	1.00
With	ReadJWS_FromMemory	8.201 μs	0.979	0.0287 μs	0.0636 μs	8.295 μs	8.313 μs	8.357 μs	0.2441	6.07 KB	1.039

Copilot

Copilot reviewed 5 out of 9 changed files in this pull request and generated no comments.

Files not reviewed (4)

src/Microsoft.IdentityModel.JsonWebTokens/InternalAPI.Unshipped.txt: Language not supported
src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt: Language not supported
test/Microsoft.IdentityModel.JsonWebTokens.Tests/CustomJsonWebToken.cs: Evaluated as low risk
src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonWebToken.PayloadClaimSet.cs: Evaluated as low risk

Comments suppressed due to low confidence (1)

src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonClaimSet.cs:31

The initialization of _jsonClaims should be 'new Dictionary<string, object>()' instead of '[]'.

_jsonClaims = [];

pmaytak · 2025-01-15T08:20:01Z

Edit: These results are outdated.

Updated results comparing delegates which have a dictionary as a parameter. Ran JsonWebTokenHandler_ValidateTokenAsyncWithTVP and ReadJWS_FromMemory with extended claims. These test using the default delegate implemenation.

Delegates	Method	Mean	Ratio	Error	StdDev	P90	P95	P100	Gen0	Allocated	Alloc Ratio
Without	JsonWebTokenHandler_ValidateTokenAsyncWithTVP	30.13 μs	1.00	0.169 μs	0.374 μs	30.61 μs	30.74 μs	31.07 μs	0.2441	7.23 KB	1.00
With	JsonWebTokenHandler_ValidateTokenAsyncWithTVP	29.34 μs	0.974	0.085 μs	0.188 μs	29.59 μs	29.61 μs	29.87 μs	0.2441	7.33 KB	1.014

Delegates	Method	Mean	Ratio	Error	StdDev	P90	P95	P100	Gen0	Allocated	Alloc Ratio
Without	ReadJWS_FromMemory	7.523 μs	1.00	0.0333 μs	0.0724 μs	7.599 μs	7.612 μs	7.672 μs	0.2365	5.84 KB	1.00
With	ReadJWS_FromMemory	7.059 μs	0.938	0.0416 μs	0.0905 μs	7.160 μs	7.170 μs	7.205 μs	0.2365	5.84 KB	1.00

BenchmarkDotNet v0.13.12, Windows 11 (10.0.26100.2605) (Hyper-V)
Intel Xeon Platinum 8370C CPU 2.80GHz, 1 CPU, 16 logical and 8 physical cores
.NET SDK 9.0.101
[Host] : .NET 8.0.11 (8.0.1124.51707), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI
MediumRun : .NET 8.0.11 (8.0.1124.51707), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI

github-actions · 2025-02-11T08:47:26Z

Summary


Generated on:	2/11/2025 - 8:47:25 AM
Coverage date:	2/11/2025 - 8:37:55 AM - 2/11/2025 - 8:47:00 AM
Parser:	MultiReport (60x Cobertura)
Assemblies:	1
Classes:	7
Files:	2
Line coverage:	80.3% (620 of 772)
Covered lines:	620
Uncovered lines:	152
Coverable lines:	772
Total lines:	483
Branch coverage:	67.8% (228 of 336)
Covered branches:	228
Total branches:	336
Method coverage:	Feature is only available for sponsors

Coverage

Microsoft.IdentityModel.JsonWebTokens - 80.3%

Name	Line	Branch
Microsoft.IdentityModel.JsonWebTokens	80.3%	67.8%
Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities	100%
System.Text.RegularExpressions.Generated	80.3%	67.8%
System.Text.RegularExpressions.Generated	80.3%	67.8%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F12A1AEDDDFE32BA DF4DBFF323AF1BCB48B9F9721B7CD3E05F5E034CF225E3DF8__CreateJweRegex_1	79.2%	68%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F12A1AEDDDFE32BA DF4DBFF323AF1BCB48B9F9721B7CD3E05F5E034CF225E3DF8__CreateJwsRegex_0	81.4%	67.6%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F334844C618E00D3 CEC5D3FE0D00CF0141BBEE98635313BB2CB8D3921464CE05A__CreateJweRegex_1	79.2%	68%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F334844C618E00D3 CEC5D3FE0D00CF0141BBEE98635313BB2CB8D3921464CE05A__CreateJwsRegex_0	81.4%	67.6%

github-actions · 2025-02-11T09:00:21Z

Summary


Generated on:	2/11/2025 - 9:00:21 AM
Coverage date:	2/11/2025 - 8:50:12 AM - 2/11/2025 - 8:59:54 AM
Parser:	MultiReport (60x Cobertura)
Assemblies:	1
Classes:	7
Files:	2
Line coverage:	80.3% (620 of 772)
Covered lines:	620
Uncovered lines:	152
Coverable lines:	772
Total lines:	483
Branch coverage:	67.8% (228 of 336)
Covered branches:	228
Total branches:	336
Method coverage:	Feature is only available for sponsors

Coverage

Microsoft.IdentityModel.JsonWebTokens - 80.3%

Name	Line	Branch
Microsoft.IdentityModel.JsonWebTokens	80.3%	67.8%
Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities	100%
System.Text.RegularExpressions.Generated	80.3%	67.8%
System.Text.RegularExpressions.Generated	80.3%	67.8%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F12A1AEDDDFE32BA DF4DBFF323AF1BCB48B9F9721B7CD3E05F5E034CF225E3DF8__CreateJweRegex_1	79.2%	68%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F12A1AEDDDFE32BA DF4DBFF323AF1BCB48B9F9721B7CD3E05F5E034CF225E3DF8__CreateJwsRegex_0	81.4%	67.6%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F334844C618E00D3 CEC5D3FE0D00CF0141BBEE98635313BB2CB8D3921464CE05A__CreateJweRegex_1	79.2%	68%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F334844C618E00D3 CEC5D3FE0D00CF0141BBEE98635313BB2CB8D3921464CE05A__CreateJwsRegex_0	81.4%	67.6%

src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonWebToken.PayloadClaimSet.cs

brentschmaltz · 2025-02-18T19:01:44Z

It would be great to have the same design when reading the header.

brentschmaltz

We need a way to allow the user to parse all claims in a performant manner.
This design skips claims that are parsed.

Allowing the user to parse all claims allows for an implementation where validation could fail fast.

Failing fast needs to have a design that can propagate a detailed error result to upper layers for error reporting.

…sts.

github-actions · 2025-03-24T05:04:57Z

Summary


Generated on:	3/24/2025 - 5:04:56 AM
Coverage date:	3/24/2025 - 4:55:10 AM - 3/24/2025 - 5:04:29 AM
Parser:	MultiReport (60x Cobertura)
Assemblies:	1
Classes:	7
Files:	2
Line coverage:	80.3% (620 of 772)
Covered lines:	620
Uncovered lines:	152
Coverable lines:	772
Total lines:	483
Branch coverage:	67.8% (228 of 336)
Covered branches:	228
Total branches:	336
Method coverage:	Feature is only available for sponsors

Coverage

Microsoft.IdentityModel.JsonWebTokens - 80.3%

Name	Line	Branch
Microsoft.IdentityModel.JsonWebTokens	80.3%	67.8%
Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities	100%
System.Text.RegularExpressions.Generated	80.3%	67.8%
System.Text.RegularExpressions.Generated	80.3%	67.8%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F12A1AEDDDFE32BA DF4DBFF323AF1BCB48B9F9721B7CD3E05F5E034CF225E3DF8__CreateJweRegex_1	79.2%	68%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F12A1AEDDDFE32BA DF4DBFF323AF1BCB48B9F9721B7CD3E05F5E034CF225E3DF8__CreateJwsRegex_0	81.4%	67.6%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F334844C618E00D3 CEC5D3FE0D00CF0141BBEE98635313BB2CB8D3921464CE05A__CreateJweRegex_1	79.2%	68%
System.Text.RegularExpressions.Generated.<RegexGenerator_g>F334844C618E00D3 CEC5D3FE0D00CF0141BBEE98635313BB2CB8D3921464CE05A__CreateJwsRegex_0	81.4%	67.6%

pmaytak · 2025-03-24T06:49:55Z

Edit: These results are outdated. See update in the most recent post.

The three scenarios compared below:

Dev branch, JWT has custom claims, these are saved as string JSON.
This feature branch, JWT has custom claims, no delegates are set, claims are saved as strings.
This feature branch, JWT has custom claims and delegates which parse them into an object.
Same cases as above, also creates claims.

Branch	Method	Mean	Ratio	Error	StdDev	P90	P95	P100	Gen0	Allocated	Alloc Ratio
Base	JsonWebTokenHandler_ValidateTokenAsync	30.59 μs	1.000	0.037 μs	0.079 μs	30.68 μs	30.72 μs	30.85 μs	0.4272	7.51 KB	1.000
Feature	JsonWebTokenHandler_ValidateTokenAsync	30.61 μs	1.000	0.068 μs	0.145 μs	30.84 μs	30.88 μs	31.00 μs	0.4272	7.94 KB	1.057
Feature	JsonWebTokenHandler_ValidateTokenAsyncWithDelegates	31.36 μs	1.025	0.065 μs	0.142 μs	31.51 μs	31.59 μs	31.94 μs	0.4883	8 KB	1.065
Base	JsonWebTokenHandler_ValidateTokenAsync_CreateClaims	35.38 μs	1.000	0.130 μs	0.286 μs	35.80 μs	35.88 μs	36.10 μs	1.0376	17.3 KB	1.000
Feature	JsonWebTokenHandler_ValidateTokenAsync_CreateClaims	34.88 μs	0.986	0.123 μs	0.260 μs	35.24 μs	35.37 μs	35.71 μs	1.0376	17.73 KB	1.025
Feature	JsonWebTokenHandler_ValidateTokenAsyncWithDelegates_CreateClaims	35.42 μs	1.001	0.072 μs	0.158 μs	35.62 μs	35.72 μs	35.80 μs	0.9766	17.79 KB	1.028

pmaytak · 2025-03-24T18:45:58Z

Edit: These results are outdated. See update in the most recent post.

The difference in code from the previous perf results is that this time the delegates are null by default (and not set to new dictionary) which reduced the allocations from the previous run. Latest commit: 3c2fbbc

The three scenarios compared below:

Dev branch, JWT has custom claims, these are saved as string JSON.
This feature branch, JWT has custom claims, no delegates are set, claims are saved as strings.
This feature branch, JWT has custom claims and delegates which parse them into an object.
Same cases as above, also creates claims.

Branch	Method	Mean	Ratio	Error	StdDev	P90	P95	P100	Gen0	Allocated	Alloc Ratio
Base	JsonWebTokenHandler_ValidateTokenAsync	30.59 μs	1.000	0.037 μs	0.079 μs	30.68 μs	30.72 μs	30.85 μs	0.4272	7.51 KB	1.000
Feature	JsonWebTokenHandler_ValidateTokenAsync	30.29 μs	0.990	0.061 μs	0.131 μs	30.47 μs	30.51 μs	30.65 μs	0.4272	7.63 KB	1.016
Feature	JsonWebTokenHandler_ValidateTokenAsyncWithDelegates	31.16 μs	1.019	0.099 μs	0.217 μs	31.51 μs	31.54 μs	31.59 μs	0.4272	7.77 KB	1.035
Base	JsonWebTokenHandler_ValidateTokenAsync_CreateClaims	35.38 μs	1.000	0.130 μs	0.286 μs	35.80 μs	35.88 μs	36.10 μs	1.0376	17.3 KB	1.000
Feature	JsonWebTokenHandler_ValidateTokenAsync_CreateClaims	34.65 μs	0.979	0.074 μs	0.162 μs	34.84 μs	34.93 μs	35.03 μs	0.9766	17.41 KB	1.006
Feature	JsonWebTokenHandler_ValidateTokenAsyncWithDelegates_CreateClaims	35.70 μs	1.009	0.083 μs	0.180 μs	35.86 μs	35.96 μs	36.47 μs	1.0376	17.55 KB	1.008

…wt (#153) Updated [Microsoft.IdentityModel.Tokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) from 7.5.1 to 8.16.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.IdentityModel.Tokens's releases](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases)._ ## 8.16.0 ## New Features * Add telemetry around signature validation. See [PR #3415](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3415) for details. ## Fundamentals * Fix FileVersion format to use two-digit year and day of year. See [PR #3389](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3389) for details. ## 8.15.0 ## New Features - **Add ECDsa support in `X509SecurityKey` and `JsonWebKeyConverter.ConvertFromX509SecurityKey`** Extended `X509SecurityKey` and `JsonWebKeyConverter.ConvertFromX509SecurityKey` to support ECDSA keys. See PR [#2377](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2377) for details. ## Bug Fixes - **Sanitize logs to avoid leaking sensitive data** Updated logging to sanitize sensitive values, reducing the risk of inadvertently exposing secrets or PII in logs. See PR [#3316](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3316) for details. - **Optimize log sanitization with `SearchValues`** Improved the performance of the log sanitization logic introduced earlier by using `SearchValues`, making sanitization more efficient in high-throughput scenarios. See PR [#3341](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3341) for details. - **Update test for `IDX10400`** Adjusted the `IDX10400` test to align with the current behavior and error messaging. See PR [#3314](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3314) for details. ## Fundamentals - **Add supported algorithm tests** Added new tests to validate the set of supported cryptographic algorithms, increasing confidence in algorithm coverage and compatibility. See PR [#3296](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3296) for details. - **Migrate repository agent rules from `.clinerules` to `agents.md`** Moved repository agent/AI-assist rules into markdown documentation to make them more visible and easier to maintain. See PR [#3313](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3313) for details. - **Migrate `Microsoft.IdentityModel.TestExtensions` from Newtonsoft.Json to System.Text.Json** Updated `Microsoft.IdentityModel.TestExtensions` to use `System.Text.Json` instead of `Newtonsoft.Json`, aligning tests with the runtime serialization stack. See PR [#3356](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3356) for details. - **Disable code coverage comments** Turned off automated code coverage comments on PRs to reduce noise while retaining coverage data elsewhere. See PR [#3349](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3349) for details. - **Fix CodeQL alerts** Addressed CodeQL-reported issues to improve security posture and static analysis cleanliness. See PR [#3364](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3364) for details. ### .NET 10 / SDK and tooling updates - **Building with .NET 10 preview / RC 1** Updated the repository to build and test against .NET 10.0 preview/RC1, ensuring early compatibility with the upcoming runtime. See PRs [#3287](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3287), [#3357](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3357), and [#3358](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3358) for details. - **Fix .NET 10 test execution consistency** Ensured consistent use of the `TargetNetNext` parameter across build, test, and pack phases so .NET 10.0 tests execute reliably. See PR [#3337](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3337) for details. - **Update project files and workflows for .NET 10.0 compatibility** Adjusted project files and CI workflows to correctly target and run on .NET 10.0, including test and pack scenarios. See PR [#3363](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3363) for details. - **Update .NET version to meet CG compliance** Updated the .NET version references to be compliant with corporate governance (CG) requirements. See PR [#3353](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3353) for details. - **Update Coverlet collector and test SDK** - Bumped `CoverletCollectorVersion` to 6.0.4. See PR [#3333](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3333) for details. - Upgraded `Microsoft.NET.Test.Sdk` to a newer version for improved test reliability and tooling support. ... (truncated) ## 8.14.0 8.14.0 ==== ## Bug Fixes - Switch back to use `ValidationResult` instead of `OperationResult` when validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See [#3299](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3299) for details. ## 8.13.1 8.13.1 ==== ## Dependencies Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0 ## Bug Fixes - Fixed a decompression failure happening for large JWE payloads. See [#3286](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3286) for details. ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See [#3284](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3284) for details. 8.13.0 ## 8.13.0 8.13.0 ==== ### Fundamentals - `CaseSensitiveClaimsIdentity.SecurityToken` setter is now protected internal (was internal). See PR [#3278](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3278) for details. - Update .NET SDK version to 9.0.108 used when building or running the code. See PR [#3274](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3274) for details. - Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See [#3280](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3280) for details. ## What's Changed * Make CaseSensitiveClaimsIdentity.SecurityToken setter protected by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3278 * Update .NET SDK version in global.json from 9.0.107 to 9.0.108 by @Copilot in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3274 * Update RsaSecurityKey.cs to remove Pkcs 1 by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3280 * changelog for 8.13 by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3282 ## New Contributors * @Copilot made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3274 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.12.1...8.13.0 ## 8.12.1 8.12.1 ==== ### Fundamentals - Update .NET SDK version to 9.0.107 used when building or running the code. See [#3263](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3263) for details. - To keep our experimental code separate from production code, all files associated with experimental features have been moved to the Experimental folders. See PR [#3261](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3261) for details. - Experimental code leaked into TokenValidationResult from early prototypes. See PR [#3259](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3259) for details. ## What's Changed * Remove experimental code from TokenValidationResult by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3259 * Moved files to experimental folder by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3261 * Update global.json to latest by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3263 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.12.0...8.12.1 ## 8.12.0 8.12.0 ==== ## New Features - **Enhance ConfigurationManager with event handling** Added event handling capabilities to the `ConfigurationManager`, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see [#3253](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3253) ## Bug Fixes - **Add expected Base64UrlEncoder.Decode overload for NET6 and 8** Introduced the expected overload of `Base64UrlEncoder.Decode` for .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks. For details see [#3249](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3249) ## Fundamentals - **Add AI assist rules** Incorporated AI assist rules to enhance AI agents effectiveness. For details see [#3255](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3255) - **Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0** Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added). For details see [#3256](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3256) - **Move suppression of RS006 to csproj** Centralized suppression of RS006 warnings in project files for easier management. For details see [#3230](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3230) ## What's Changed * Move suppression of RS006 to csproj. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3230 * Add expected Base64UrlEncoder.Decode overload for NET6 and 8 by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3250 * add ai assist rules by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3255 * Enhance ConfigurationManager with event handling by @GeoK in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3254 * Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0 by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3256 * Update CHANGELOG.md for 8.12.0 by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3258 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.11.0...8.12.0 ## 8.11.0 8.11.0 ===== ## New Features: - Microsoft.IdentityModel now exposes the AadIssuerValidator factory method publicly to enable caching functionality for AadIssuerValidator instances. See issue [#3245](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3245) for details. - Added a new public async API: `JsonWebTokenHandler.DecryptTokenWithConfigurationAsync`, which decrypts a JWE token using keys from either `TokenValidationParameters` or, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR [#3243](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3243) for details. ## What's Changed * few updates by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3242 * Changelog for 8.10.0 by @sruke in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3241 * Exposes publicly override of AadIssuerValidator factory taking a delegate by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3244 * update current version to 8.10.0 by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3246 * Add DecryptTokenWithConfiguration API by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3243 * changelog for 8.11 by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3248 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.10.0...8.11.0 ## 8.10.0 8.10.0 ===== ## Bug Fixes - Corrected casing of the Type attribute in SubjectConfirmationData. See [#3206](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3206). - Removed Microsoft.Bcl.Memory dependency for pre-.NET 9.0 targets. See [#3220](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/33784b8ec0ff4300efad788535f90b3adc5bdfd1). - Aligned Microsoft.Extensions.Logging.Abstractions version to 8.0.0 for .NET 9 to match other targets. See [#3226](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/793bd34e945eb8ba7528cf87c4a29a29c4704a65). ## Fundamentals - Introduced Long-Term Support (LTS) policy. See [#3228](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/946bec18cdeb26b8133a04e8c056dd5f17588f89) and [#3232](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/commit/14842aedb3d57c32b9ce784061cd9beccbdd1eb1). ## 8.9.0 8.9.0 ===== ## Bug Fixes - syncAfter has been updated to preserve UTC information, addressing a bug where GetConfigurationAsync does not refresh configuration in ConfigurationManager. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3213. - Fixed a null reference issue in KeyInfo. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3203. ## New Features - Introduced a new delegate for reading custom token payload values on JsonWebToken. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2981. - Added an overload for ReadJsonWebToken to take a ReadOnlyMemory. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3205. ## Fundamentals - Utilized IList to avoid enumerator allocation during audience validation. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3204. ## 8.8.0 8.8.0 ===== ## New Features - Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the `Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking` switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR [#3193](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3193) for details. - Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the `Switch.Microsoft.IdentityModel.DoNotScrubExceptions` AppContextSwitch. See PR [#3195](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3195) and https://aka.ms/identitymodel/app-context-switches for details. - Change all plain object locks to `System.Thread.Lock` objects for .NET 9 or greater. See PRs [#3185](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3185) and [#3189](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3189) for details. ## 8.7.0 ## Bug Fixes - Add back internal methods `IsRecoverableException` and `IsRecoverableExceptionType` whose signatures were changed in the previous version. See [#3181](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3181). ## New Features - Make `Cnf` class public and move it to Microsoft.IdentityModel.Tokens package. See [#3165](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3165). ## What's Changed * Post Release 8.6.1 cleanup by @mdchennu in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3160 * Updates CodeQL.yaml to exclude test files by @sruke in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3163 * Adds explanation for CodeQL warnings by @sruke in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3167 * Fix typo by @rstm-sf in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3175 * Need to change the locks by @JoshLozensky in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3171 * Move CNF from SHR to M.IM.Tokens by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3168 * Add back IsRecoverableException methods. by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3183 * Revert "Need to change the locks" by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3186 * 8.7.0 changelog by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3184 ## New Contributors * @rstm-sf made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3175 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.6.1...8.7.0 ## 8.6.1 8.6.1 ===== ## Bug fix - Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue [#3148](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3148) for details. - Fix a bug in `JsonWebTokenHandler` where `JwtTokenDecryptionParameters`'s `Alg` and `Enc` were not set during token decryption, causing `IDX10611` and `IDX10619` errors to show null values in the messages. See issue [#3003](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3003) for details. ## Fundamentals - For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue [#2995](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2995) for details. ## What's Changed * Update version.props to next version by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3145 * Update the public API shipped files by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3146 * Add global.json file by @mdchennu in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3153 * Trigger metadata refresh for token decryption errors by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3149 * Populate error messages correctly from JwtTokenUtilities.DecryptJwtToken by @ksaaf in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3152 * first changelog update by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3156 ## New Contributors * @mdchennu made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3153 * @ksaaf made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3152 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.6.0...8.6.1 ## 8.6.0 8.6.0 ===== ## New Features - TokenValidationParameters has a new boolean property `TryAllDecryptionKeys` that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to **true** (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See [#3128](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3128) - Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See [#3140](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3140) ## Fundamentals * Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See [3143](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3143) * Add more tests for encrypted tokens. See [#3139](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3139) ## What's Changed * Update CHANGELOG.md by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3133 * Update version.props to next version by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3137 * Add TryAllDecryptionKeys flag to whether decrypt if no key IDs match by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3128 * Change KeyInfo.MatchesKey from internal to protected internal virtual. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3140 * Fix #3112 by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3143 * Add more auto-decryption related tests by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3139 * Update changelog.md for 8.6.0 by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3144 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.5.0...8.6.0 ## 8.5.0 8.5.0 ===== ## Reverting previous breaking change - The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that [adding IDisposable is a breaking change](https://learn.microsoft.com/en-us/dotnet/fundamentals/runtime-libraries/system-idisposable), so we are following [semver guidance](https://semver.org/#what-do-i-do-if-i-accidentally-release-a-backward-incompatible-change-as-a-minor-version) and reverting and releasing a minor version (8.5.0). - Cherry-picked Changes: Included changes from PR [#3022](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3022) and [#3104](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3104). ## What's Changed * Update version.props by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3126 * fix formatting error by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3134 * Revert configuration manager to 8.3.1 by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3132 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.4.0...8.5.0 ## 8.4.0 8.4.0 ===== ## New Features - App context switch allows blocking or non-blocking calls for configuration. See PR [#3106](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3106) for details and issue [#3082](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3082) for details. If you are not using the ConfigurationManager as a singleton and not using the blocking option, you may need to call ShutdownBackgroundTask() to stop the background task to avoid leaking Tasks. - IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See [#3094](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3094) for details. - IdentityModel now allows specifying the HTTP protocol version and version policy. See [#2808](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2808) for details. ## Repair items - Add request count and duration telemetry for configuration requests. See [#3022](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3022) for details. - `KeyID` should be present in exception messages and is no longer PII. See [#3104](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3104) for details. ## Fundamentals - Fix spelling issues in xml comments. See [#3117](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3117) for details. - Fix comment coverage in PR builds. See [#3079](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3079) for details. ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - See [#3056](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3056). [#3100](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3100), [#3017](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3107), and [#3111](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3111). - Add internal virtual on TokenHandler. See [#3084](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3084) for details. * @prochnowc made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2809 ## 8.3.1 8.3.1 ===== ## Bug Fixes * Respect TVP.RequireAudience when set to false. See [#3055](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3055) * For net4.6.2 select RSACng for PSS support. See [#3097](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3097) * Fix package downgrade in consuming libraries. See[#3062](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3062) * Fix integer overflow in `AuthenticationEncryptionProvider.cs`. See [#3063](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3063) ## Fundamentals * Removed unused property on JsonWebToken ClaimsIdentity. See [#3071](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/3071) for details. * Upgrade to C# 13. See [#2998](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2998) * Use new Base64Url API. See [#22817](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2817) * Add warning quality check. See [#3067](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3067) * Update dotnet actions. see [#3074](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3074) * Fix warnings. See [#3081](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3081) * Test updates in JsonWebToken. See [#3080](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3080). ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - [#3027](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3027), [#3028](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3028), [#3051](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3051), [#3054](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3054) ## What's Changed * Update CHANGELOG.md by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3053 * Extensibility tests: Audience - JWT, SAML and SAML2 by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3027 * Extensibility tests: Lifetime - JWT, SAML and SAML2 by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3028 * Implement lazy ClaimsIdentity creation from ValidatedToken on SAML and SAML2 on the new validation model by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3051 * Add logging to the new validation model by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3054 * update version by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3057 * lower version to avoid downgrades. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3058 * Respect TVP.RequireAudience when set to false by @kllysng in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3055 * Fix package downgrade in consuming libraries by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3062 * Add slnf for running perf and stress tests by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3066 * Add Warning Quality Check Build Task 🔨 by @kllysng in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3067 * Update template-Build-run-tests-sign.yml by @ciaozhang in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3069 * Removed unused property on JsonWebToken by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3072 * Update setup dotnet actions by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3074 * fixed #2983 and re-add code coverage comments to PRs by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3076 * Remove duplicate keyid into var keysAttempted by @bdapoigny in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2899 * Upgrade to C# 13 by @westin-m in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2998 * Use new Base64Url API by @msbw2 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2817 * Update common.props by @ciaozhang in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3078 * fix warnings by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3081 * Fixed integer overflow in AuthenticatedEncryptionProvider.cs by @gparametr in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3063 * Test updates by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3080 * For net4.6.2 select RSACng for PSS support. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3085 * changelog for 8.3.1 by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3098 ## New Contributors * @bdapoigny made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2899 * @gparametr made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3063 ... (truncated) ## 8.3.0 ## New features ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) * SAML and SAML2 new model validation: Token Replay. See [#2994](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2994) * Extensibility tests: Token Type - JWT ([#3030](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3030)), Issuer - SAML and SAML2 ([#3026](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3026)), Algorithm and Signature - JWT, SAML and SAML2 ([#3034](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3034)), Token Replay - JWT, SAML and SAML2 ([#3032](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3032)), Issuer signing key - JWT, SAML and SAML2 ([#3029](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/302)) * Avoid code duplication in extensibility testing. See [#3041](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3041) * Extensibility Testing: Refactor. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3011 * Remove duplicate code in extensibility tests. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3044 ## Bug fixes * Fix bug with AadIssuerValidator. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3042 * Fixed SignedHttpRequest flaky test. See [#3037](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3037) ## Fundamentals * Install all .NET versions in pipeline to fix run tests task. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3018 * Changelog for 8.2.1. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3009 * Remove unnecessary AoT test project. See in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3045 * Fix powershell script for nuget update. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3046 * Update to next version. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3010 * Disable Coverage PR comments. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3048 * Updates GitHub Action to support long paths, See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3049 * Stack parameters to improve reading of code. See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3031 ## New Contributors * @ssmelov made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3042 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.2.1...8.3.0 ## 8.2.1 8.2.1 ===== ### New features - Update to use .NET 9 GA. See [2990](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2990). ### Bug fixes - Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See [2935](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2935). - Update cgmanifest to align with the JSON schema. See [2969](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2969). ### Fundamentals - Streamline token creation in `SecurityTokenDescriptor`. See [2993](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2993). - Prevent inlining to guarantee stack frames in test. See [2999](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2999). ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - Simplify stack frame caching. See [2976](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2976). - Implement reading SAML and SAML2 tokens. See [2980](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2980). - Implement validating SAML signature. See [2950](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2950). - Add tests for `IssuerExtensibility`. See [2987](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2987). - Add validation for SAML and SAML2 issuer signing key. See [2965](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2965). - Add validation for SAML and SAML2 algorithm. See [2984](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2984). ## What's Changed * Microsoft.Rest.ClientRuntime has been deprecated, which results in so… by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2970 * Update to next version after 8.2.0 release by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2975 * Consolidating test statics by @trwalke in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2956 * New token validation model: Simplify stack frame caching by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2976 * Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets by @filipnavara in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2935 * Update cgmanifest to align with the JSON schema by @jeffhandley in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2969 * SAML and SAML2 new model validation: Read Token by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2980 * SAML2 new model validation: Signature by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2961 * JsonWebTokenHandler IssuerExtensibility by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2987 * SAML and SAML2 new model validation: Issuer Signing Key by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2965 * Ignore AotCompatibilityTests on ADO by @jmprieur in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2992 * SAML and SAML2 new model validation: Algorithm by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2984 * Use SecurityTokenDescriptor when creating tokens by @msbw2 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2991 * Prevent inlining to guarantee stack frames in test by @westin-m in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3002 * Update to .NET 9 GA. Update some test dependencies. by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2990 * Add Abstractions.Tests to strong name bypass file. by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3004 ## New Contributors * @jeffhandley made their first contribution in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2969 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.2.0...8.2.1 ## 8.2.0 8.2.0 ===== ### Fundamentals - Update System.Text.Json to 8.0.5 CVE-2024-43485. See [2892](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2892). - Using FixedTimeEquals in NETCore targets. See [2857](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2857). - Updated .NET 9 to RC 2 [2898](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2898). - Adds ability to create token without kid [2968](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2968) - Enables code coverage in PRs [2946](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2946) - Various test improvements: - [#2953](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2953) - [#2955](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2955) - [#2951](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2951) - [#2952](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2952) - [#2947](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2947) ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - Validates Audience for SAML2TokenHandler with New Model [2863](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2863) - Improvements to AudienceValidation [2902](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2902) - Added properties to ValidationResult [2923](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2923) - Implements Audience and Lifetime validations in SamlSecurityTokenHandler [2925](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2925) - Implements Issuer validation in SamlSecurityTokenHandler [2948](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2948) ## What's Changed * update to next version by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2890 * Use FixedTimeEquals in NETCore targets by @westin-m in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2857 * Update System.Text.Json to 8.0.5 CVE-2024-43485 by @msbw2 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2892 * Update .NET 9 to RC 2 by @msbw2 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2898 * Validate Audience for SAML2TokenHandler with New Model by @FuPingFranco in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2863 * Regression tests: Issuer by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2868 * Mark Wilson APIs as Shipped by @westin-m in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2903 * Add Tests for Lifetime Validation Using New Validation Model For SAML2 by @FuPingFranco in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2906 * Suggested changes to AudienceValidation by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2902 * Extensibility tests: Audience by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2861 * Added properties to ValidationResult without throwing by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2923 * Extensibility tests: Lifetime by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2867 * Regression tests: Issuer signing key by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2927 * Do not serialize CaseSensitiveClaimsIdentity.SecurityToken. by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2896 * Fix typo by @westin-m in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2894 * Implement and Test Audience and Lifetime validations in SamlSecurityTokenHandler with New Validation Model by @FuPingFranco in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2925 * Fix Flaky Tests: NameAndRoleClaimDelegates and RoleClaims by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2873 * Regression tests: Signature by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2930 * Validate Issuer Using New Validation Model in Saml2SecurityTokenHandler by @FuPingFranco in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2929 * Fix builds on macOS / Linux using the build.sh script by @filipnavara in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2937 * Regression tests: Algorithm by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2934 * Regression tests: Token Type by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2932 * Regression tests: Token Replay by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2931 * Fix DevEx and IDDP builds such that when building internally, use an internal Nuget feed instead of nuget.org by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2936 * Restore PopKeyResolvingTests.GetPopKeysFromJkuAsync by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2947 * Restore skipped test: ReferenceCountingTest_MultiThreaded by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2952 * Restore EnsureAotCompatibility test by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2951 ... (truncated) ## 8.1.2 ## What's Changed ### Bug fixes * CaseSensitiveClaimsIdentity.Clone() now returns a `CaseSensitiveClaimsIdentity` as expected, by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2879 * Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling, by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2888 ### Fundamentals * Enabled PublicApiAnalyzers to better understand and trace changes to the public API, by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2782 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.1.1...8.1.2 ## 8.1.1 8.1.1 ===== ### Bug fixes - Fix bug where ConfigurationManager was updating keys too frequently. See [2866](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2866) for details. ## What's Changed * Rename validation delegates by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2847 * Remove TransformBeforeSignatureValidationDelegate from ValidationParameters by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2848 * Add disable discovery enumeration = true to all theory tests by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2849 * Make CaseSensitiveClaimIdentity serializable by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2850 * Remove Obsolete BinaryFormatter by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2851 * Refactor ValidateConditions in Saml2SecurityTokenHandler by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2855 * Set custom BenchmarkDotNetconfig as default by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2852 * Regression tests: Audience by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2838 * Fix ValidateJsonWebTokenClaimMapping Flaky Test 🐞 by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2859 * update current version by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2862 * Regression tests: Lifetime by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2839 * Rename ResolveTokenDecryptionKeyDelegate to DecryptionKeyResolverDelegate by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2869 * Set internal _syncAfter using only AutomaticRefreshInterval. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2865 * 8.1.1 Changelog by @kellyyangsong in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2864 * Adjust for RefreshInterval not influencing AutomaticRefreshInterval. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2870 **Full Changelog**: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.1.0...8.1.1 ## 8.1.0 8.1.0 ===== ### Performance improvements - Improves performance during issuer validation by replacing string comparison with span comparison. See PR [#2826](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2826). ### New features - Add optional check to prevent using keys that are shared across multiple clouds. See issue [#2832](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2832) for details. ### Bug fixes - JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue [#2695](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2695) for details. ### Fundamentals - Fix flaky tests. See [#2793](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2793) for details. - Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR [#2796](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2796) for details. - Onhboard to code coverage in ADO. See PR [#2798](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2798). - Use `IsTargetFrameworkCompatible(*)` so AOT is forward-compatible with .NET 9 and beyond. See PR [#2790](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2790) for details. - Fix a merge conflict impacting dev. See PR [#2819](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2819). - Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error. [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR [#2820](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2820). - Remove perl dependency. See PR [#2830](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2830). ### Work related to redesign of IdentityModel's token validation logic [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - [#2794](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2794) - [#2800](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2800) - [#2810](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2810) - [#2811](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2811) - [#2816](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2816) - [#2822](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2822) - [#2815](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2815) - [#2818](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2818) - [#2813](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2813) - [#2827](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2827) ## What's Changed * changelog 8.0.2 by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2792 * Update version.props to 8.0.2 by @jennyf19 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2791 * Fix Async Issue in Extensibility Tests by @FuPingFranco in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2795 * Update xUnit version and fix test warnings by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2796 * ValidateTokenAsync - New Path: Refactor result types by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2794 * Onboard to code coverage in ADO by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2798 * Exception refinement: Adding additional information by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2800 * Add initial regression tests for the new validation path by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2810 * Use IsTargetFrameworkCompatible() by @martincostello in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2790 * Regression tests: Added inner exception detail and invalid signature failure due to invalid algorithm used by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2811 * Return unwrapped keys if able by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2812 * New token validation path: Renamed result types by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2816 * Fix merge conflict by @msbw2 in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2819 * Removed attribute that causes issues with internal builds. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2820 * Add missing exception type to ValidationError -> GetException() by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2822 * Regression testing: Add JWE use cases by @iNinja in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2815 ... (truncated) ## 8.0.2 8.0.2 ===== ### Security fundamentals - Add `BannedApiAnalyzers` to prevent use of `ClaimsIdentity` constructors. See PR [#2778](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2778) for details. ### Bug fixes - IdentityModel now allows the JWT payload to be an empty string. See issue [#2656](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2656) for details. - Cache `UseRfcDefinitionOfEpkAndKid` switch. See PR [#2747](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2747) for details. - Method was named `DoNotFailOnMissingTid` in 7x and `DontFailOnMissingTid` in 8x, adding the method for back compat. See issue [#2750](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2750) for details. - Metadata is now updated on a background thread. See [#2780](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2780) for details. - `JsonWebKeySet` stores the original string it was created with. See PR [#2755](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2755) for details. - Restore AOT compatibility. See [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2711). - Fix OpenIdConnect parsing bug. See [#2772](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2772) for details. - Remove the lock on creating a `SignatureProvider`. See [#2788](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2788) for details. ### Fundamentals - Test clean up [#2742](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2742). - Use only FxCop in .NET framework targets [#2693](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2693). - Add rule to add file headers automatically [#2748](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2748). - Code analysis updates [#2746](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2746). - Include README packages in NuGet [#2752](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2752). - Update projects inside WilsonUnix solution [#2768](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2768). - Code style enforced in build [#2603](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2603). - CodeQL update [#2767](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2767). - Update build pipeline to new one release build format [#2777](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2777). - Update GitHub actions to `9.0.100-preview.7.24407.12` and add `<NoWarn>$(NoWarn);SYSLIB0057</NoWarn>` due to breaking changes in preview7. [#2786](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2786). ### Work relating to [#2711](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2711) - [#2725](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2725), [#2729](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2729), [#2753](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2753), [#2758](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2758), [#2759](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2759), [#2757](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2758), [#2759](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2757), [#2764](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2758), [#2759](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2764), [#2771](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2758), [#2759](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2759), and [#2779](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2779). ## What's Changed * Remove old 6x tests used that are not needed anymore by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2742 * Only use fxcop in netfw by @keegan-caruso in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2693 * Allow Jwt payload to be the empty string. by @brentschmaltz in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2745 * Add rule to add file headers automatically. by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2748 * Remove Delegate Checks in Multiple Validators and Prevents Null Setting of Delegates by @FuPingFranco in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2725 * Fix CodeQL by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2746 * Cache UseRfcDefinitionOfEpkAndKid switch. by @pmaytak in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2747 * Decrypt token: Remove exceptions + use new ValidationParameters by @iNinja in https://github…

pmaytak changed the title ~~Replace JsonWebToken read overload method with delegates to read token values.~~ Replace JsonWebToken ReadPayloadValue with a delegate Nov 6, 2024

pmaytak force-pushed the pmaytak/jwt-ext branch from 3613363 to 3cbc31c Compare November 6, 2024 22:04

pmaytak force-pushed the pmaytak/jwt-ext branch from 3cbc31c to 4d5347b Compare December 20, 2024 21:02

pmaytak requested a review from Copilot January 8, 2025 08:35

Copilot AI reviewed Jan 8, 2025

View reviewed changes

pmaytak force-pushed the pmaytak/jwt-ext branch from add645b to 89a8c8a Compare January 24, 2025 08:10

pmaytak closed this Jan 24, 2025

pmaytak force-pushed the pmaytak/jwt-ext branch from 89a8c8a to 442baa3 Compare January 24, 2025 08:15

pmaytak reopened this Jan 24, 2025

Replace JsonWebToken ReadPayloadValue with a delegate

aecf790

pmaytak force-pushed the pmaytak/jwt-ext branch from e810ae2 to aecf790 Compare February 10, 2025 22:45

Refactor the single delegate approach into a collection of delegates.

c8207d2

pmaytak marked this pull request as ready for review February 11, 2025 08:46

pmaytak requested a review from a team as a code owner February 11, 2025 08:46

brentschmaltz reviewed Feb 18, 2025

View reviewed changes

src/Microsoft.IdentityModel.JsonWebTokens/Json/JsonWebToken.PayloadClaimSet.cs Outdated Show resolved Hide resolved

brentschmaltz suggested changes Feb 18, 2025

View reviewed changes

pmaytak added 5 commits March 19, 2025 00:05

Merge main.

0b931ae

Update the header reader code. Add back the virtual method. Update te…

119667e

…sts.

Minor changes. Update claim creation. Add tests.

a5e4624

Merge remote-tracking branch 'origin/dev' into pmaytak/jwt-ext

f693529

API and test fixes.

6704a92

Set the delegates to null by default to reduce allocations.

3c2fbbc

dependabot bot mentioned this pull request Mar 24, 2026

nuget: Bump Microsoft.IdentityModel.JsonWebTokens from 8.0.1 to 8.17.0 yongshuai1013/emu#21

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replace JsonWebToken ReadPayloadValue with a delegate#2981

Replace JsonWebToken ReadPayloadValue with a delegate#2981
pmaytak merged 15 commits intodevfrom
pmaytak/jwt-ext

pmaytak commented Nov 5, 2024 •

edited

Loading

Uh oh!

pmaytak commented Nov 7, 2024 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

pmaytak commented Jan 15, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Feb 11, 2025

Uh oh!

github-actions bot commented Feb 11, 2025

Uh oh!

Uh oh!

brentschmaltz commented Feb 18, 2025

Uh oh!

brentschmaltz left a comment

Uh oh!

github-actions bot commented Mar 24, 2025

Uh oh!

pmaytak commented Mar 24, 2025 •

edited

Loading

Uh oh!

pmaytak commented Mar 24, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

pmaytak commented Nov 5, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pmaytak commented Nov 7, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

pmaytak commented Jan 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 11, 2025

Summary

Coverage

Uh oh!

github-actions bot commented Feb 11, 2025

Summary

Coverage

Uh oh!

Uh oh!

brentschmaltz commented Feb 18, 2025

Uh oh!

brentschmaltz left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 24, 2025

Summary

Coverage

Uh oh!

pmaytak commented Mar 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pmaytak commented Mar 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

pmaytak commented Nov 5, 2024 •

edited

Loading

pmaytak commented Nov 7, 2024 •

edited

Loading

pmaytak commented Jan 15, 2025 •

edited

Loading

pmaytak commented Mar 24, 2025 •

edited

Loading

pmaytak commented Mar 24, 2025 •

edited

Loading