8.13.1

Dependencies

Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0

Bug Fixes

• Fixed a decompression failure happening for large JWE payloads. See #3286 for details.

Work related to redesign of IdentityModel's token validation logic #2711

• Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See #3284 for details.

8.13.0

8.13.0

Fundamentals

• CaseSensitiveClaimsIdentity.SecurityToken setter is now protected internal (was internal). See PR #3278 for details.
• Update .NET SDK version to 9.0.108 used when building or running the code. See PR #3274 for details.
• Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See #3280 for details.

What's Changed

• Make CaseSensitiveClaimsIdentity.SecurityToken setter protected by @keegan-caruso in #3278
• Update .NET SDK version in global.json from 9.0.107 to 9.0.108 by @Copilot in #3274
• Update RsaSecurityKey.cs to remove Pkcs 1 by @keegan-caruso in #3280
• changelog for 8.13 by @jennyf19 in #3282

New Contributors

• @Copilot made their first contribution in #3274

Full Changelog: 8.12.1...8.13.0

8.12.1

Fundamentals

• Update .NET SDK version to 9.0.107 used when building or running the code. See #3263 for details.
• To keep our experimental code separate from production code, all files associated with experimental features have been moved to the Experimental folders. See PR #3261 for details.
• Experimental code leaked into TokenValidationResult from early prototypes. See PR #3259 for details.

What's Changed

• Remove experimental code from TokenValidationResult by @brentschmaltz in #3259
• Moved files to experimental folder by @brentschmaltz in #3261
• Update global.json to latest by @jennyf19 in #3263

Full Changelog: 8.12.0...8.12.1

8.12.0

New Features

• Enhance ConfigurationManager with event handling
  Added event handling capabilities to the ConfigurationManager, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see #3253

Bug Fixes

• Add expected Base64UrlEncoder.Decode overload for NET6 and 8
  Introduced the expected overload of Base64UrlEncoder.Decode for .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks.
  For details see #3249

Fundamentals

• Add AI assist rules
  Incorporated AI assist rules to enhance AI agents effectiveness.
  For details see #3255
• Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0
  Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
  For details see #3256
• Move suppression of RS006 to csproj
  Centralized suppression of RS006 warnings in project files for easier management.
  For details see #3230

What's Changed

• Move suppression of RS006 to csproj. by @brentschmaltz in #3230
• Add expected Base64UrlEncoder.Decode overload for NET6 and 8 by @pmaytak in #3250
• add ai assist rules by @jennyf19 in #3255
• Enhance ConfigurationManager with event handling by @GeoK in #3254
• Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0 by @pmaytak in #3256
• Update CHANGELOG.md for 8.12.0 by @jmprieur in #3258

Full Changelog: 8.11.0...8.12.0

8.11.0

New Features:

• Microsoft.IdentityModel now exposes the AadIssuerValidator factory method publicly to enable caching functionality for AadIssuerValidator instances. See issue #3245 for details.
• Added a new public async API: JsonWebTokenHandler.DecryptTokenWithConfigurationAsync, which decrypts a JWE token using keys from either TokenValidationParameters or, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR #3243 for details.

What's Changed

• few updates by @jennyf19 in #3242
• Changelog for 8.10.0 by @sruke in #3241
• Exposes publicly override of AadIssuerValidator factory taking a delegate by @jmprieur in #3244
• update current version to 8.10.0 by @brentschmaltz in #3246
• Add DecryptTokenWithConfiguration API by @pmaytak in #3243
• changelog for 8.11 by @jennyf19 in #3248

Full Changelog: 8.10.0...8.11.0

8.10.0

Bug Fixes

• Corrected casing of the Type attribute in SubjectConfirmationData. See #3206.
• Removed Microsoft.Bcl.Memory dependency for pre-.NET 9.0 targets. See #3220.
• Aligned Microsoft.Extensions.Logging.Abstractions version to 8.0.0 for .NET 9 to match other targets. See #3226.

Fundamentals

• Introduced Long-Term Support (LTS) policy. See #3228 and #3232.

8.9.0

Bug Fixes

• syncAfter has been updated to preserve UTC information, addressing a bug where GetConfigurationAsync does not refresh configuration in ConfigurationManager. See #3213.
• Fixed a null reference issue in KeyInfo. See #3203.

New Features

• Introduced a new delegate for reading custom token payload values on JsonWebToken. See #2981.
• Added an overload for ReadJsonWebToken to take a ReadOnlyMemory. See #3205.

Fundamentals

• Utilized IList to avoid enumerator allocation during audience validation. See #3204.

8.8.0

New Features

• Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #3193 for details.
• Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the Switch.Microsoft.IdentityModel.DoNotScrubExceptions AppContextSwitch. See PR #3195 and https://aka.ms/identitymodel/app-context-switches for details.
• Change all plain object locks to System.Thread.Lock objects for .NET 9 or greater. See PRs #3185 and #3189 for details.

Bug Fixes

• Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #3181.

New Features

• Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #3165.

What's Changed

• Post Release 8.6.1 cleanup by @mdchennu in #3160
• Updates CodeQL.yaml to exclude test files by @sruke in #3163
• Adds explanation for CodeQL warnings by @sruke in #3167
• Fix typo by @rstm-sf in #3175
• Need to change the locks by @JoshLozensky in #3171
• Move CNF from SHR to M.IM.Tokens by @keegan-caruso in #3168
• Add back IsRecoverableException methods. by @pmaytak in #3183
• Revert "Need to change the locks" by @pmaytak in #3186
• 8.7.0 changelog by @pmaytak in #3184

New Contributors

• @rstm-sf made their first contribution in #3175

Full Changelog: 8.6.1...8.7.0

8.6.1

Bug fix

• Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #3148 for details.
• Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #3003 for details.

Fundamentals

• For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #2995 for details.

What's Changed

• Update version.props to next version by @jennyf19 in #3145
• Update the public API shipped files by @jmprieur in #3146
• Add global.json file by @mdchennu in #3153
• Trigger metadata refresh for token decryption errors by @pmaytak in #3149
• Populate error messages correctly from JwtTokenUtilities.DecryptJwtToken by @ksaaf in #3152
• first changelog update by @jennyf19 in #3156

New Contributors

• @mdchennu made their first contribution in #3153
• @ksaaf made their first contribution in #3152

Full Changelog: 8.6.0...8.6.1