2.15.2

2.15.2

• For the .NET 8 rc2 target framework, the IdentityModel dependencies have been updated to Identity.Model.*.7.0.3.

Bug Fixes

• Fixes a regression introduced in 2.15.0 where the OnTokenValidated delegates were no longer chained with an await. See issue#2513.

2.15.1

2.15.1

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

New features

• TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480

Experimental API

(to get feedback, could change without bumping-up the major version)

• It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496

Bug Fixes

• Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
• In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
• Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394

2.14.0

• Update to Abstractions 5.0.0
• Include new OpenIdConnect options from net 8. See PR #2462

Bug Fixes

• Chain the OnMessageReceived event. See PR #2468

2.13.4

2.13.4

• Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
• Update to MSAL 4.56.0, which now
  enables the cache synchronization by default
• Support for .NET 8 preview 7. See PR #2430

Bug fixes

• In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #2417
• Fix to accomodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #2420
• Improved the usability of IDownstreamApi by checking all HttpResponse for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #2426
• Improvement/Fix of OWIN scenarios, especially the session with B2C: #2388
• Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #2411
• Fix a bug that is now surfaced by the .NET 8 runtime. See issue #2448
• Added a lock while loading credentials. See issue #2439

Fundamentals

• performance improvements: #2414
• Replaced Selenim with Playwright for more reliable faster UI tests. See issue #2354
• Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #1900
• Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #244

2.13.3

• Update to Wilson 7.0.0-preview2 on .NET 8.

New features:

• Support langversion 11, which as fewer allocations compared to 10, see issue #2351 for details.
• In AspNET Core 3.1 and Net 5+, Microsoft.Identity.Web now use the DefaultTokenAcquisitionHost (the host for SDK apps) instead of the Asp.NET Core one, when the service collection was not initialized by ASP.NET Core.
  • This means the IWebHostEnvironment is not present in the collection.
  • If you want the ASP.NET Core host, you would need to use the WebApplication.CreateBuilder().Services instead of instantiating a simple service collection.
• In web APIs, GetAuthenticationResultForUserAsync tries to find the inbound token from user.Identity.BootstrapContext first (if not null), and then from the token acquisition host. This will help for non-asp.NET Core Azure functions for instance, see issue #2371 for details.

2.13.2

2.13.2

Bug fixes:

• Fix bug found in usage of AzureAD key issuer validator, see issue #2323.
• Improved performance in downstreamAPI, see issue #2355 for details.
• Address duplicate cache entries, with singleton token acquisition, which was causing much larger cache size than needed. See issue #2349.
• Distributed cache logger now prints correct cache entry size, see issue #2348

2.13.1

2.13.1

• Update to MSAL 4.55.0

New Features:

• Support new AzureAD key issuer validator in AddMicrosoftIdentityWebApi by default in Owin. See #2323 for details.

• Microsoft.Identity.Web now supports .NET 8 with conditional compilation, see #2309.

2.13.0

2.13.0

• Update to Wilson 6.32.0 and Microsoft.Identity.Abstractions 4.0.0

New Feature:

Support new AzureAD key issuer validator in AddMicrosoftIdentityWebApi by default. See #2323 for details.

2.12.4

2.12.4

• fix for CVE-2023-29331 in System.Security.Cryptography.Pkcs

2.12.2

2.12.2

New Feature:

• Id Web now supports the MS Graph v5 SDK, see issue #2097 for details.