chore(deps): update dotnet-azure-ad-microsoft-identity-web monorepo to v3 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Microsoft.Identity.Web	2.21.1 -> 3.5.0
Microsoft.Identity.Web.MicrosoftGraph	2.21.1 -> 3.5.0
Microsoft.Identity.Web.UI	2.21.1 -> 3.5.0

---

Release Notes

AzureAD/microsoft-identity-web (Microsoft.Identity.Web)

v3.5.0

Compare Source

v3.4.0

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.1
• Updated to Microsoft.Identity.Abstractions 7.2.0

New features

• Add ROPC flow support for confidential client applications. See 3091, 3129, 3139.
• Allow multi-tenant applications to specify the AppHomeTenantId to be used for client credentials. See 3121, 3132.
• Update to use .NET 9 GA. See 3127.

v3.3.1

Compare Source

========

• Updated to Microsoft.IdentityModel.* 8.2.0

Supportability

• Added JSON schema support for Microsoft.Identity.Web configuration. This allows for schema validation in the appsettings.json, improving configuration accuracy and developer experience. To use it, add the following at the top of your appsettings.json:
  "$schema": "https://github.com/AzureAD/microsoft-identity-web/blob/master/JsonSchemas/microsoft-identity-web.json"
  This update enhances the configuration process by providing clear structure and validation for settings used in Microsoft.Identity.Web. See PR #​3119 for details.

Fundamentals

• Fix a flaky test in the L1L2Cache tests. See PR #​3122 for details.

v3.3.0

Compare Source

========

• Updated to Microsoft.Identity.Client 4.66.0
• Update system.Text.Json to 8.0.5 CVE-2024-43485
• Updated to .NET 9 RC2

New features

• Microsoft.Identity.Web token acquisitio now provides an extensibility mechanism to enlight non-standard features. For details, see #​2975

Fundamentals

• Split DownstreamApi methods between AoT compatible and incompatible methods by @​SaurabhMSFT in https://github.com/AzureAD/microsoft-identity-web/pull/3090
• ASP.NET Core (and other) cross-link updates by @​guardrex in https://github.com/AzureAD/microsoft-identity-web/pull/3096. Thank you!
• Onboarded to Threading Analyzers. For details, see #​3052
• display code coverage as PR comments
• Fix flaky EncryptionTestAsync on .NET 9.

v3.2.2

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.2

• Breaking change (without major version change. Sorry!)
  ClientAssertionProviderBase.GetSignedAssertion now takes an MSAL.NET AssertionRequestOptions and the method name has changed from GetSignedAssertion to GetClientAssertionAsync:

  var m = new ManagedIdentityClientAssertion("<some client id>");
  m.GetSignedAssertion(CancellationToken.None); // this method will break on v3.2.2  

v3.2.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.1.1

v3.2.0

Compare Source

=========

• Updated to Microsoft.Identity.Abstractions 7.1.0
• Updated to Microsoft.IdentityModel.* 8.1.0
• Updated to Microsoft.Identity.Client 4.64.1
   

New features

• In .NET 8 and above, IDownstreamApi overloads take a JsonTypeInfo<T> parameter to enable source generated JSON deserialization. See issue #​2930 for details.

Bug fixes:

• Azure region is used while creating application keys when the TokenAcquisition service caches application objects, and the TokenAcquirerFactory caches TokenAcquirer. See #​3002 for details.
• Improved error messages for FIC. See issue #​3000 for details.

Fundamentals:

• Improved test coverage for GetCacheKey. See PR #​3020 for details.
• Update to .NET 9-RC1. See issue #​3025 for details.
• Fix static analysis warnings. See PR #​3024 for details.

v3.1.0

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

• Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #​2977 for details.

Bug fixes:

• For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #​2887 for details.
• Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #​2954 for details.
• Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #​2879 for details.
• Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #​2962 for details.

Fundamentals:

• Fix flakey tests: #​2972, #​2984, #​2982,
• Update to AzureKeyVault@2 in AzureDevOps, #​2981.
• Update to .NET 9-preview7, #​2980 and #​2991.
• It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #​2974, #​2990

========

See rel/v2 branch changelog for changes to all 2.x.x versions after 2.18.1.

The changes listed in the rel/v2 changelog are also in the 3.x.x versions of Id Web but are not listed here.

========

v3.0.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 8.0.1

v3.0.0

=========

CVE package updates

CVE-2024-30105

• See PR #​2929 for details.

• Updated to Microsoft.IdentityModel.* 8.0.0, Microsoft.Identity.Lab API 1.0.2, Microsoft.Identity.Abstractions 6.0.0

• See rel/v2 changelog for full list of added features to 3.0.0.

Fundamentals:

• Update lab cert and lab version. See PR #​2923 for details.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud