Skip to content

Bump Microsoft.Identity.Web from 1.26.0 to 4.0.0 #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Bump Microsoft.Identity.Web from 1.26.0 to 4.0.0 #294

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 13, 2025

Updated Microsoft.Identity.Web from 1.26.0 to 4.0.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.0.0

4.0.0

Breaking Changes

Removed support for .NET 6.0 and .NET 7.0 - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.

See MIGRATION_GUIDE_V4

New features

  • Various improvements to performance logging, authentication, and credential loading capabilities.
  • Bumped MSAL.NET to 4.77.1
  • Added credential description extensibility. For details, see #​3487
  • Added a new CerticateObserverAction type: SuccessfullyUsed and support for multiple certificate observers for improved certificate lifecycle management and telemetry. See #​3505
  • Add specification of OID (in addition to upn) when requesting an authorization header for Agent User Identity. See #​3513
  • Added ClaimsPrincipal and ClaimsIdentity extension methods for agent identity detection in web APIs enabling developers to easily detect agent identities and retrieve parent agent blueprint from token claims. See #​3515
  • Added MicrosoftIdentityMessageHandler for flexible HttpClient authentication. Provides composable alternative to DownstreamApi with per-request authentication configuration. Supports WWW-Authenticate challenge handling. See #​3503
  • Support for multiple certificate observers. See #​3506
  • The Microsoft.Identity.Web.Sidecar will provide a container solution for validation and token acquisition in any-language. See #​3524

Bug Fixes

  • Fixed TokenAcquirerFactory null reference when AppContext.BaseDirectory is root path. See #​3443
  • Fixed IDW10405 error when using managed identity with common tenant. See #​3415
  • Removed hard dependency on IConfiguration in OidcIdpSignedAssertionLoader. See #​3414

Fundamentals

  • Various improvements to .NET support and dependency optimizations.
  • Added doc for Agent identities. See Agent identities
  • Combined and fixed test collections. See #​3472
  • Migrate repository agent rules from .clinerules to agents.md. See #​3475
  • Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See #​3489
  • Renamed NET 7 tests to ThreadingTests for framework independence. See #​3501

3.14.1

3.14.1

Bug fixe

  • Support client secrets with agent user identities. See #​3470 for details.

3.14.0

New features

  • Support multi-tenant agent user identities. See #​3461 for details.
  • Id Web now allows for passing of ExtraBodyParameters. See #​3463 for details.

3.13.1

3.13.1

Dependencies updates

  • Microsoft.IdentityModel updated to version 8.14.0.

3.13.0

3.13.0

Dependencies updates

  • Microsoft.IdentityModel updated to version 8.13.1.
  • Microsoft.Abstractions updated to version 9.3.0 and using IAuthenticationSchemeInformationProvider from that library, deprecating the interface of the same name in Microsoft.Identity.Web (introduced in 3.12.0).

Bug fixes

  • Fixed an issue with instantiation of TokenAcquirerFactory when AppContext.BaseDirectory is root path. See PR #​3443 for details.

Fundamentals

3.12.0

3.12.0

Dependencies updates

  • Updated MSAL to version 4.74.1 part of #​3398.

Bug fix

Reload certificates for all client credential based issues to solve the issue that when a bad certificate was installed on the machine and picked up, and subsequently rotated, a service restart was needed for the new certificate to be used. See issue #​3429 and PR #​3430

New features

  • Include the thrown exception in CertificateChangeEventArg. See PR #​3428 for better supportabiliby.
  • Support for Agent User identities. See PR #​3435

3.11.0

3.11.0

Dependencies updates

  • Updated global.json to the latest .NET 9 runtime framework 9.0.108. See PR #​3422 for details.

Bug fixes

  • Fix IDW10405 error when using managed identity with common tenant. See PR #​3415 for details.
  • Fix OidcIdpSignedAssertionLoader to remove hard dependency on IConfiguration registration. See PR #​3414 for details.

New feature

  • Add support for ExtraHeaderParameters and ExtraQueryParameters properties on DownstreamApiOptions to simplify adding custom headers and query parameters to downstream API requests. See PR #​3413 for details.
  • Add better support for Azure SDK. For details see Readme-Azure and PR #​3416

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.10.0...3.11.0

3.10.0

3.10.0

Dependencies updates

  • Updated MSAL to version 4.73.1 (#​3398).
  • Updated global.json to the latest .NET 9 runtime framework 9.0.107 (#​3385).

New feature

  • Added support for Agent Identities (#​3396, #​3402).
    introducing the Microsoft.Identity.Web.AgentIdentities package .

Bug fixes

  • Processed codeQL issues

Fundamentals

  • improved unit tests for OidcFic with the new SignedAssertionFmiPath

3.9.4

3.9.4

Package updates

  • Microsoft.IdentityModel updated to version 8.12.1.

Bug fix

  • Updates the DefaultAuthorizationHeaderProvider to update the AcquireTokenOptions.LongRunningWebApiSessionKey after the token is acquired so that the key can be used in the next OBO call. See PR #​3381 for details.

Fundamentals

  • Update .NET SDK version to 9.0.107 used when building or running the code. See #​3385 for details.
  • Improved test coverage for managed identity flows. See #​3350 for details.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.3...3.9.4

3.9.3

3.9.3

Package updates

  • Microsoft.IdentityModel updated to version 8.12.0.

Fundamentals

  • Add .clinerules to help with AI tooling.
  • Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0 Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added). For details see #​3379

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.2...3.9.3

3.9.2

3.9.2

Package updates

Fundamentals:

  • Fix invalid comparisons in prop and csproj files. For details see #​3297.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.1...3.9.2

3.9.1

3.9.1

Package updates

  • Microsoft.Identity.Abstractions updated to version 9.1.0.

Fundamentals

  • Fix AoT warnings. For details see #​3366.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.9.0...3.9.1

3.9.0

3.9.0

Package updates

Bug fixes

  • Fixed issue where RequiredScopeOrAppPermission extension method didn’t work with Minimal APIs. See #​3323.
  • Resolved IL warnings from AddDownstreamApis in NativeAOT projects. See #​3355.
  • Ensured AcquireTokenForConfidentialClient correctly passes MSAL exceptions. See #​3345.
  • Prevented null reference when accessing MergedOptions instance. See #​3337.

New feature

  • Added optional login_hint and domain_hint support to AccountController.SignIn endpoint. See #​3244 and #​3348.

Fundamentals

  • Introduced Long-Term Support (LTS) policy. See #​3357.
  • Added tests to validate xms_cc (client capability) forwarding in CCA flows. See #​3349.

External contributions

Thank you @​evan-buss for your contribution and fixing the issue where RequiredScopeOrAppPermission extension method didn’t work with Minimal APIs. See #​3323.
Thank you @​neha-bhargava for your contribution and ensuring AcquireTokenForConfidentialClient correctly passes MSAL exceptions. See #​3345.

3.8.4

3.8.4

Package updates

Bug fixes

  • Fixed the issue where FmiPath was not persisted when copying/reinitializing AcquireTokenOptions. See #​3336.

New feature

Fundamentals

  • Removed System.Text.Json as an explicit dependency for .NET Core targets. See #​3331.

3.8.3

3.8.3

Package updates

New feature

  • TokenAcquistion.cs adds its service provider to the acquisition options. See issue #​3315 for details.

3.8.2

3.8.2

  • Updated to Microsoft.Identity.Abstractions 9.0.0

New feature

  • An exception is now thrown if MSAL TokenCacheNotificationArgs indicates that distributed cache is configured when it should not have been. See #​3304.
  • Added support for federated identity credentials with AT_POP. See #​3299.

3.8.1

New features

  • Updated to Microsoft.IdentityModel.* 8.7.0

Bug fixes

  • Pins Microsoft.Extensions.Http dependency version to 3.1.3 for .NET Framework and .NET Standard and uses inbox version for .NET Core. See #​3145.

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.8.0...3.8.1

3.8.0

3.8.0

New feature

  • Updated to Microsoft.IdentityModel.* 8.6.1
  • Updated to MSAL.NET 4.69.1
  • Updated the Json Schema to include extensiblity for signed assertion providers. See #​3235
  • Added support for Federation Identity Credential on any OIDC Idp (FIC+OIDC credential provider). See #​3255
  • Support for acquiring token for Federation Managed Identity (FMI). Supports the FmiPath property of AcquireTokenOptions. See #​3247
  • Downstream APIs now support Authorization headers with a custom SAML bearer syntax. See #​3273

Bug fixes

  • TokenAcquirerFactory is now thread safe. See #​3274
  • Fix a bug in the parsing of the token in the authority. See #​3261

Fundamentals

  • Removed old Blazorwasm sample, wasm-tools and added new blazor web API: #​3259, #​3257, #​3254
  • Modified the build so that, in CI/CD internal builds, the NuGet.olg NuGet source is replaced by a managed Nuget source. More verbose information added. See #​3263
  • Fixed CS8602 Warnings in Weather.razor (BlazorApp) – Handle Nullable forecasts and user.Identity. See #​3266,

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.7.1...3.8.0

3.7.1

3.7.1

  • Updated to Microsoft.IdentityModel.* 8.5.0

3.7.0

3.7.0

  • Updated to Microsoft.Identity.Abstractions 8.1.0
  • Updated to Microsoft.IdentityModel.* 8.4.0

New Feature

  • IdentityWeb now provides extensibility to DefaultCredentialsLoader so that partner teams, or an SDK on top of IdWeb, can bring their own credential providers. See #​3220 for details.

Bug fixes

  • The merged options are now being passed to MSAL for the CCA ROPC scenario. See #​3207 for details.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.6.2...3.7.0

3.6.2

3.6.2

  • Updated to Microsoft.Identity.Abstractions 8.0.0

Fundamentals

  • Clean-up the tests that were using properties removed in Abstractions 8.0.0. See issue #​3212 for details.

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.6.1...3.6.2

3.6.1

3.6.1

  • Updated to Microsoft.Identity.Abstractions 7.2.1

3.6.0

3.6.0

  • Updated to Microsoft.IdentityModel.* 8.3.1
  • Updated to MSAL.NET 4.67.2

Bug fixes

Fundamentals

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.5.0...3.6.0

3.5.0

Bug fixes

Fundamentals

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.4.0...3.5.0

3.4.0

3.4.0

  • Updated to Microsoft.IdentityModel.* 8.2.1
  • Updated to Microsoft.Identity.Abstractions 7.2.0

New features

  • Add ROPC flow support for confidential client applications. See 3091, 3129, 3139.
  • Allow multi-tenant applications to specify the AppHomeTenantId to be used for client credentials. See 3121, 3132.
  • Update to use .NET 9 GA. See 3127.

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.3.1...3.4.0

3.3.1

3.3.1

  • Updated to Microsoft.IdentityModel.* 8.2.0

Supportability

  • Added JSON schema support for Microsoft.Identity.Web configuration. This allows for schema validation in the appsettings.json, improving configuration accuracy and developer experience. To use it, add the following at the top of your appsettings.json:
    "$schema": "https://github.com/AzureAD/microsoft-identity-web/blob/master/JsonSchemas/microsoft-identity-web.json"
    This update enhances the configuration process by providing clear structure and validation for settings used in Microsoft.Identity.Web. See PR #​3119 for details.

Fundamentals

  • Fix a flaky test in the L1L2Cache tests. See PR #​3122 for details.

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.3.0...3.3.1

3.3.0

3.3.0

  • Updated to Microsoft.Identity.Client 4.66.0
  • Update system.Text.Json to 8.0.5 CVE-2024-43485
  • Updated to .NET 9 RC2

New features

  • Microsoft.Identity.Web token acquisition now provides an extensibility mechanism to enlight non-standard features. For details, see #​2975

Fundamentals

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.2.2...3.3.0

3.2.2

3.2.2

  • Updated to Microsoft.IdentityModel.* 8.1.2

3.2.1

3.2.1

  • Updated to Microsoft.IdentityModel.* 8.1.1

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@3.2.0...3.2.1

3.2.0

3.2.0

  • Updated to Microsoft.Identity.Abstractions 7.1.0
  • Updated to Microsoft.IdentityModel.* 8.1.0
  • Updated to Microsoft.Identity.Client 4.64.1
     

New features

  • In .NET 8 and above, IDownstreamApi overloads take a JsonTypeInfo<T> parameter to enable source generated JSON deserialization. See issue #​2930 for details.

Bug fixes:

  • Azure region is used while creating application keys when the TokenAcquisition service caches application objects, and the TokenAcquirerFactory caches TokenAcquirer. See #​3002 for details.
  • Improved error messages for FIC. See issue #​3000 for details.

Fundamentals:

  • Improved test coverage for GetCacheKey. See PR #​3020 for details.
  • Update to .NET 9-RC1. See issue #​3025 for details.
  • Fix static analysis warnings. See PR #​3024 for details.

3.1.0

3.1.0

  • Updated to Microsoft.IdentityModel.* 8.0.2

Security improvement:

  • Id Web now uses CaseSensitiveClaimsIdentity by default and provides AppContextSwitches to fallback to using ClaimsIdentity. This means that when you loopup claims with FindFirst(), FindAll() and HasClaim(), you need to provide the right casing for the claim. See PR #​2977 for details.

Bug fixes:

  • For SN/I scenarios, Id Web's GetTokenAcquirer now sets SendX5C in particular protocols. See issue #​2887 for details.
  • Fix for Instance/Tenant parsing for V2 authority (affected one Entra External IDs scenario). See PR #​2954 for details.
  • Fix regex that threw a format exception: The input string " was not in a correct format when enabling same-site cookie compatibility with userAgent: "Dalvik/2.1.0 (Linux; U; Android 12; Chromecast Build/STTE.230319.008.H1). See issue #​2879 for details.
  • Microsoft.Identity.Web 3.1.0 now has an upper bound set on its dependency on Microsoft.Identity.Abstractions to version 7x to avoid referencing Microsoft.Identity.Abstractions 8.0.0, which has an interface breaking change, not yet implemented in Microsoft.Identity.Web. See PR #​2962 for details.

Fundamentals:

  • Fix flakey tests: #​2972, #​2984, #​2982,
  • Update to AzureKeyVault@​2 in AzureDevOps, #​2981.
  • Update to .NET 9-preview7, #​2980 and #​2991.
  • It's now possible to build a specific version of Microsoft.Identity.Web based on specific versions of Microsoft.IdentityModel and Microsoft.Identity.Abstractions by specifying build variables on the dotnet pack command (MicrosoftIdentityModelVersion, MicrosoftIdentityAbstractionsVersions, and MicrosoftIdentityWebVersion): #​2974, #​2990

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.0.1...3.1.0

3.0.1

3.0.1

  • Updated to Microsoft.IdentityModel.* 8.0.1

3.0.0

3.0.0

CVE package updates

CVE-2024-30105

  • See PR #​2929 for details.

  • Updated to Microsoft.IdentityModel.* 8.0.0, Microsoft.Identity.Lab API 1.0.2, Microsoft.Identity.Abstractions 6.0.0

  • See rel/v2 changelog for full list of added features to 3.0.0.

Fundamentals:

  • Update lab cert and lab version. See PR #​2923 for details.

3.0.0-preview3

3.0.0-preview3

  • Updated to Microsoft.IdentityModel.* 8.0.0-preview3

3.0.0-preview2

3.0.0-preview2

  • Updated MSAL .Net to 4.61.3
  • Updated Azure.Identity to 1.11.4

New features:

  • Change GetSignedAssertion public API. See issue #​2853 for details.
  • Update to latest .NET 9 preview 4. See issue #​2877 for details.

3.0.0-preview1

3.0.0-preview1

Breaking changes

  • Remove netcoreapp3.1 support, see issue #​2262 for details.
  • Remove net5.0 support from Microsoft.Identity.Web.UI, see issue #​2711 for details.

New features

  • Microsoft.Identity.Web can be conditionally built on .net9.0-preview, see issue #​2702 for details.
  • Microsoft.Identity.Web nows processes the AcceptHeader and ContentType if provided, see issue #​2806 for details.
  • Target Microsoft.IdentityModel 7x in OWIN targets, see issue #​2785 for details.

2.21.0

2.21.0

  • Updated to Microsoft.IdentityModel 7.7.0

CVE package updates

CVE-2024-30105

2.20.0

2.20.0

  • Updated to Microsoft.Identity.Abstractions 6.0.0 which adds one method to IAuthorizationHeaderProvider

New features

  • Implements the updated IAuthorizationHeaderProvider interface (the new method CreateAuthorizationHeaderForAppAsync). See issue #​2907
  • If an IMsalHttpClientFactory is added to the service collection, it's not used by IdWeb token acquisition. See issue #​2911
    This will be use to enable some IPv6 scenarios.

Bug fixes

  • Fix metadata address creation when using AddMicrosoftIdentityWebApp. See issue #​2752
  • Use MSAL.NET instead of DefaultAzureCredential for Federation identity credentials scenario. See 2894

Fundamentals

  • Updating Lab Api to 0.13.3

2.19.1

2.19.1

  • Updated MSAL .Net to 4.61.3
  • Updated Azure.Identity to 1.11.4

2.19.0

2.19.0

  • Updated to Microsoft.IdentityModel.* 7.6.0

New features

  • Id Web now provides a .WithUser() modifier to the Microsoft Graph queries (like WithAppOnly()). See issue #​2855 for details.
  • Id Web now provides a base class for implementing a custom IAuthorizationHeaderProvider. See issue #​2856 for details.

Bug fixes

  • Id Web now processes the extra query parameters when included as part of the authority. See issue #​2697 for details.

2.18.2

2.18.2

New feature

  • Target Microsoft.IdentityModel 7x in OWIN targets, see issue #​2785 for details.

Bug fixes

  • Id Web now accepts an env var to disable interactive auth for KeyVaultCertificateLoader, see issue #​2647 for details.
  • Id Web token acquisition on ASP.NET Core 2.x on net472 or net48 implements ITokenAquirerFactory, see issue #​2849 for details.

2.18.1

2.18.1

  • Updated to Microsoft.IdentityModel.* 7.5.1

Bug fix

  • Fix for FIC due to appending ./default, see issue #​2796 for details.

2.18.0

2.18.0

  • Update to Microsoft.Identity.Abstractions 5.3.0
  • Update Azure.Security libraries to 4.6.0

New features

  • Added support for Managed Identity Federated Identity Credential. See issue #​2749 for details.
  • Added support to read a section to register multiple downstream APIs. See issue #​2255 for details.

Bug fix

  • TokenAcquirer factory is now thread safe and can handle multiple azure regions. See issue #​2765 for details.

2.17.5

2.17.5

  • Updated to MSAL 4.59.1.

2.17.4

2.17.4

Bug fix

  • Fix assertions being removed from dict before callback is executed in TokenAcquisition. See issue #​2734 for details.

2.17.3

2.17.3

2.17.2

2.17.2

New features

  • Added support for CIAM custom user domains. You can now use an Open ID connect authority in the "Authority" property of the configuration instead of using "Instance" and "Tenant". See issue #​2690 for details.

2.17.1

2.17.1

  • Updated to Microsoft.IdentityModel.* 7.4.0

New features

  • DownstreamApi now automatically processes claims challenge from web APIs which are CAE enabled, provided you set "ClientCapablities" : ["cp1"] in the configuation. See issue #​2550.

Bug fixes

  • Fixes the use of ServiceDescriptor for containers which have keyed services present. This can be an issue on .NET 8.0. See issue #​2676 for details.

Engineering excellence

  • Calls to ConfidentialClientApplicationBuilderExtension.WithClientCredentials are fully async. See issue #​2566 for details.

2.17.0

2.17.0

  • Updated to Microsoft.IdentityModel.* 7.3.1 and MSAL.NET 4.59.0

New features

Bug fixes

  • In OWIN applications, GetTokenForUserAsync now respects the ClaimsPrincipal. See issue #​2629 for details.
  • After setting AddTokenAcquisition(useSingleton:true) to use token acquisition as a singleton, if you use .AddMicrosoftGraph and/or .AddDownstreamApi after this call,
    the GraphServiceClient and IDownstreamApis are now registered as a singleton service. For details see PR #​2645
  • Added check Against Injection Attacks. For details see PR 2619

Engineering excellence

2.16.1

2.16.1

  • Update Microsoft.Identity.Abstractions 5.1.0 and Microsoft.IdentityModel.* 7.1.2

Bug Fixes

  • In OWIN, Id Web now respects the passed in user argument. See issue #​2585 for details.

2.16.0

Leverage IdentityModel 7.x on all .NET core frameworks.

2.15.5

2.15.5

  • Update to .NET 8 GA
  • Update to Microsoft.Graph 5.34.0

Bug Fixes

  • Fixes an issue where users were not able to override ICredentialsLoader. See #​2564 for details.
  • The latest patch version is no longer used in dependencies, as it made builds non-deterministic. See #​2569 for details.
  • Removed dependencies that were no longer needed. See #​2577 for details.
  • Fixes an issue where the build did not look up project names as package dependencies. See #​2579 for more details.

Fundamentals

  • Enable baseline package validation, see #​2572 for details.
  • Improve trimmability on .NET 8, see #​2574 for details.

2.15.3

2.15.3

Bug Fixes:

  • Microsoft.Identity.Web honors the user-provided value for the cache expiry for in-memory cache. See #​2466 for details.

2.15.2

2.15.2

  • For the .NET 8 rc2 target framework, the IdentityModel dependencies have been updated to Identity.Model.*.7.0.3.

Bug Fixes

  • Fixes a regression introduced in 2.15.0 where the OnTokenValidated delegates were no longer chained with an await. See issue#​2513.

2.15.1

2.15.1

  • Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

New features

  • TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #​2480

Experimental API

(to get feedback, could change without bumping-up the major version)

  • It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #​2496

Bug Fixes

  • Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #​2496 for details.
  • In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #​2328
  • Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #​2460, #​2410, #​2394

2.14.0

  • Update to Abstractions 5.0.0
  • Include new OpenIdConnect options from net 8. See PR #​2462

Bug Fixes

  • Chain the OnMessageReceived event. See PR #​2468

2.13.4

2.13.4

  • Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
  • Update to MSAL 4.56.0, which now
    enables the cache synchronization by default
  • Support for .NET 8 preview 7. See PR #​2430

Bug fixes

  • In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #​2417
  • Fix to accomodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #​2420
  • Improved the usability of IDownstreamApi by checking all HttpResponse for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #​2426
  • Improvement/Fix of OWIN scenarios, especially the session with B2C: #​2388
  • Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #​2411
  • Fix a bug that is now surfaced by the .NET 8 runtime. See issue #​2448
  • Added a lock while loading credentials. See issue #​2439

Fundamentals

  • performance improvements: #​2414
  • Replaced Selenim with Playwright for more reliable faster UI tests. See issue #​2354
  • Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #​1900
  • Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #​244

2.13.3

  • Update to Wilson 7.0.0-preview2 on .NET 8.

New features:

  • Support langversion 11, which as fewer allocations compared to 10, see issue #​2351 for details.
  • In AspNET Core 3.1 and Net 5+, Microsoft.Identity.Web now use the DefaultTokenAcquisitionHost (the host for SDK apps) instead of the Asp.NET Core one, when the service collection was not initialized by ASP.NET Core.
    • This means the IWebHostEnvironment is not present in the collection.
    • If you want the ASP.NET Core host, you would need to use the WebApplication.CreateBuilder().Services instead of instantiating a simple service collection.
  • In web APIs, GetAuthenticationResultForUserAsync tries to find the inbound token from user.Identity.BootstrapContext first (if not null), and then from the token acquisition host. This will help for non-asp.NET Core Azure functions for instance, see issue #​2371 for details.

2.13.2

2.13.2

Bug fixes:

  • **Fix bug found in usage of ....

Description has been truncated

@dependabot
Bump Microsoft.Identity.Web from 1.26.0 to 4.0.0
da4f866 
---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Oct 13, 2025
@dependabot dependabot bot mentioned this pull request Oct 13, 2025
Closed
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 13, 2025

Superseded by #296.

@dependabot dependabot bot closed this Oct 13, 2025
@dependabot dependabot bot deleted the dependabot/nuget/web-api-obo-client/Microsoft.Identity.Web-4.0.0 branch October 13, 2025 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

1 participant