Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt

Closed
Number: #2971
Type: Pull Request
State: Closed
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 1
Created: October 24, 2025 at 01:13 AM UTC
(8 months ago)
Updated: October 24, 2025 at 01:32 AM UTC
(8 months ago)
Closed: October 24, 2025 at 01:31 AM UTC
(8 months ago)
Time to Close: 18 minutes
Labels:
dependencies .NET
Description:

Updated Microsoft.IdentityModel.JsonWebTokens from 5.7.0 to 8.14.0.

Release notes

Sourced from Microsoft.IdentityModel.JsonWebTokens's releases.

8.14.0

8.14.0

Bug Fixes

  • Switch back to use ValidationResult instead of OperationResult when validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See #​3299 for details.

8.13.1

8.13.1

Dependencies

Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0

Bug Fixes

  • Fixed a decompression failure happening for large JWE payloads. See #​3286 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

  • Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See #​3284 for details.

8.13.0

8.13.0

8.13.0

Fundamentals

  • CaseSensitiveClaimsIdentity.SecurityToken setter is now protected internal (was internal). See PR #​3278 for details.
  • Update .NET SDK version to 9.0.108 used when building or running the code. See PR #​3274 for details.
  • Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See #​3280 for details.

What's Changed

New Contributors

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.12.1...8.13.0

8.12.1

8.12.1

Fundamentals

  • Update .NET SDK version to 9.0.107 used when building or running the code. See #​3263 for details.
  • To keep our experimental code separate from production code, all files associated with experimental features have been moved to the Experimental folders. See PR #​3261 for details.
  • Experimental code leaked into TokenValidationResult from early prototypes. See PR #​3259 for details.

What's Changed

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.12.0...8.12.1

8.12.0

8.12.0

New Features

  • Enhance ConfigurationManager with event handling
    Added event handling capabilities to the ConfigurationManager, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see #​3253

Bug Fixes

  • Add expected Base64UrlEncoder.Decode overload for NET6 and 8
    Introduced the expected overload of Base64UrlEncoder.Decode for .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks.
    For details see #​3249

Fundamentals

  • Add AI assist rules
    Incorporated AI assist rules to enhance AI agents effectiveness.
    For details see #​3255
  • Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0
    Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
    For details see #​3256
  • Move suppression of RS006 to csproj
    Centralized suppression of RS006 warnings in project files for easier management.
    For details see #​3230

What's Changed

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.11.0...8.12.0

8.11.0

8.11.0

New Features:

  • Microsoft.IdentityModel now exposes the AadIssuerValidator factory method publicly to enable caching functionality for AadIssuerValidator instances. See issue #​3245 for details.
  • Added a new public async API: JsonWebTokenHandler.DecryptTokenWithConfigurationAsync, which decrypts a JWE token using keys from either TokenValidationParameters or, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR #​3243 for details.

What's Changed

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.10.0...8.11.0

8.10.0

8.10.0

Bug Fixes

  • Corrected casing of the Type attribute in SubjectConfirmationData. See #​3206.
  • Removed Microsoft.Bcl.Memory dependency for pre-.NET 9.0 targets. See #​3220.
  • Aligned Microsoft.Extensions.Logging.Abstractions version to 8.0.0 for .NET 9 to match other targets. See #​3226.

Fundamentals

8.9.0

8.9.0

Bug Fixes

New Features

Fundamentals

8.8.0

8.8.0

New Features

  • Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #​3193 for details.
  • Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the Switch.Microsoft.IdentityModel.DoNotScrubExceptions AppContextSwitch. See PR #​3195 and https://aka.ms/identitymodel/app-context-switches for details.
  • Change all plain object locks to System.Thread.Lock objects for .NET 9 or greater. See PRs #​3185 and #​3189 for details.

8.7.0

Bug Fixes

  • Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #​3181.

New Features

  • Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #​3165.

What's Changed

New Contributors

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.6.1...8.7.0

8.6.1

8.6.1

Bug fix

  • Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #​3148 for details.
  • Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #​3003 for details.

Fundamentals

  • For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #​2995 for details.

What's Changed

New Contributors

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.6.0...8.6.1

8.6.0

8.6.0

New Features

  • TokenValidationParameters has a new boolean property TryAllDecryptionKeys that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #​3128
  • Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See #​3140

Fundamentals

  • Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See 3143
  • Add more tests for encrypted tokens. See #​3139

What's Changed

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.5.0...8.6.0

8.5.0

8.5.0

Reverting previous breaking change

  • The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that adding IDisposable is a breaking change, so we are following semver guidance and reverting and releasing a minor version (8.5.0).
  • Cherry-picked Changes: Included changes from PR #​3022 and #​3104.

What's Changed

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.4.0...8.5.0

8.4.0

8.4.0

New Features

  • App context switch allows blocking or non-blocking calls for configuration. See PR #​3106 for details and issue #​3082 for details. If you are not using the ConfigurationManager as a singleton and not using the blocking option, you may need to call ShutdownBackgroundTask() to stop the background task to avoid leaking Tasks.
  • IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See #​3094 for details.
  • IdentityModel now allows specifying the HTTP protocol version and version policy. See #​2808 for details.

Repair items

  • Add request count and duration telemetry for configuration requests. See #​3022 for details.
  • KeyID should be present in exception messages and is no longer PII. See #​3104 for details.

Fundamentals

  • Fix spelling issues in xml comments. See #​3117 for details.
  • Fix comment coverage in PR builds. See #​3079 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

8.3.1

8.3.1

Bug Fixes

  • Respect TVP.RequireAudience when set to false. See #​3055
  • For net4.6.2 select RSACng for PSS support. See #​3097
  • Fix package downgrade in consuming libraries. See#​3062
  • Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

  • Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
  • Upgrade to C# 13. See #​2998
  • Use new Base64Url API. See #​22817
  • Add warning quality check. See #​3067
  • Update dotnet actions. see #​3074
  • Fix warnings. See #​3081
  • Test updates in JsonWebToken. See #​3080.

Work related to redesign of IdentityModel's token validation logic #​2711

What's Changed

New Contributors

... (truncated)

8.3.0

New features

Work related to redesign of IdentityModel's token validation logic #​2711

Bug fixes

Fundamentals

New Contributors

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.2.1...8.3.0

8.2.1

8.2.1

New features

  • Update to use .NET 9 GA. See 2990.

Bug fixes

  • Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
  • Update cgmanifest to align with the JSON schema. See 2969.

Fundamentals

  • Streamline token creation in SecurityTokenDescriptor. See 2993.
  • Prevent inlining to guarantee stack frames in test. See 2999.

Work related to redesign of IdentityModel's token validation logic #​2711

  • Simplify stack frame caching. See 2976.
  • Implement reading SAML and SAML2 tokens. See 2980.
  • Implement validating SAML signature. See 2950.
  • Add tests for IssuerExtensibility. See 2987.
  • Add validation for SAML and SAML2 issuer signing key. See 2965.
  • Add validation for SAML and SAML2 algorithm. See 2984.

What's Changed

New Contributors

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.2.0...8.2.1

8.2.0

8.2.0

Fundamentals

Work related to redesign of IdentityModel's token validation logic #​2711

  • Validates Audience for SAML2TokenHandler with New Model 2863
  • Improvements to AudienceValidation 2902
  • Added properties to ValidationResult 2923
  • Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
  • Implements Issuer validation in SamlSecurityTokenHandler 2948

What's Changed

8.1.2

What's Changed

Bug fixes

Fundamentals

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.1.1...8.1.2

8.1.1

8.1.1

Bug fixes

  • Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

What's Changed

Full Changelog: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/compare/8.1.0...8.1.1

8.1.0

8.1.0

Performance improvements

  • Improves performance during issuer validation by replacing string comparison with span comparison. See PR #​2826.

New features

  • Add optional check to prevent using keys that are shared across multiple clouds. See issue #​2832 for details.

Bug fixes

  • JsonWebTokenHandler would only return unwrapped keys if there was no errors. This change is to align with the behavior in JwtSecurityTokenHandler, that is it returns the keys that were able to be unwrapped, and only throw if no keys were able to be unwrapped. See issue #​2695 for details.

Fundamentals

  • Fix flaky tests. See #​2793 for details.
  • Update XUnit versoin and fix test warnings due to new XUnit analyzers. See PR #​2796 for details.
  • Onhboard to code coverage in ADO. See PR #​2798.
  • Use IsTargetFrameworkCompatible(*) so AOT is forward-compatible with .NET 9 and beyond. See PR #​2790 for details.
  • Fix a merge conflict impacting dev. See PR #​2819.
  • Defining the following attribute in multiple assemblies (.Tokens, .Logging) causes an internal error.
    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors)]. See PR #​2820.
  • Remove perl dependency. See PR #​2830.

Work related to redesign of IdentityModel's token validation logic #​2711

What's Changed

8.0.2

8.0.2

Security fundamentals

  • Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #​2778 for details.

Bug fixes

  • IdentityModel now allows the JWT payload to be an empty string. See issue #​2656 for details.
  • Cache UseRfcDefinitionOfEpkAndKid switch. See PR #​2747 for details.
  • Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #​2750 for details.
  • Metadata is now updated on a background thread. See #​2780 for details.
  • JsonWebKeySet stores the original string it was created with. See PR #​2755 for details.
  • Restore AOT compatibility. See #​2711.
  • Fix OpenIdConnect parsing bug. See #​2772 for details.
  • Remove the lock on creating a SignatureProvider. See #​2788 for details.

Fundamentals

  • Test clean up #​2742.
  • Use only FxCop in .NET framework targets #​2693.
  • Add rule to add file headers automatically #​2748.
  • Code analysis updates #​2746.
  • Include README packages in NuGet #​2752.
  • Update projects inside WilsonUnix solution #​2768.
  • Code style enforced in build #​2603.
  • CodeQL update #​2767.
  • Update build pipeline to new one release build format #​2777.
  • Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #​2786.

Work relating to #​2711

What's Changed

8.0.1

8.0.1

Bug fixes

  • IdentityModel now resolves the public key for ECDH. See issue #​1951 for details.
  • Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #​2682 for details.
  • For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #​2737 for details.

Performance improvement

8.0.0

8.0.0

CVE package updates

CVE-2024-30105

Breaking change:

Full list of breaking changes.

  • A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #​2700 for details.
  • Make CollectionUtilities.IsNullOrEmpty internal. If your code used this method, you now have to provide your own implementation. See issues #​2651 and #​1722 for details.

Overall improvements to the validation in IdentityModel:

  • See design proposal #​2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

  • Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #​2698 for details.

Bug fixes:

  • Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #​2680 for details.
  • Continuation of #​2637 and #​2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
  • The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
  • The following grant types are .....

Description has been truncated

Package Dependencies
Package:
Microsoft.IdentityModel.JsonWebTokens
Ecosystem:
nuget
Package:
System.IdentityModel.Tokens.Jwt
Ecosystem:
nuget
Security Advisories
Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability
GHSA-hh2w-p6rv-4g7w CVE-2024-30105 HIGH
# Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide i...
Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability
GHSA-8g4q-xg66-9fp4 CVE-2024-43485 HIGH
# Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide i...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 10490899
UUID: 3547189532
Node ID: PR_kwDOC3usfM6vZeNC
Host: GitHub
Repository: bervProject/NETCoreAPIBoilerplate