Skip to content

Bump System.IdentityModel.Tokens.Jwt to 6.34.0 #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Bump System.IdentityModel.Tokens.Jwt to 6.34.0 #65

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 31, 2025

Updated System.IdentityModel.Tokens.Jwt from 6.10.2 to 6.34.0.

Release notes

Sourced from System.IdentityModel.Tokens.Jwt's releases.

6.34.0

Security fixes

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

6.33.0

Bug Fixes:

  • Clean up log messages. See #​2339 for details.
  • Decouple JsonElements from JsonDocument, which causes issues in multi-threaded environments. See #​2340 for details.

6.32.3

6.32.2

6.32.2

Bug fixes:

  • Underlying JsonDocument is never disposed, causing high latency in large scale services. See #​2258 for details.

6.32.1

6.32.0

New features:

  • Adding an AAD specific signing key issuer validator. See issue #​2134 for details.
  • Better support for WsFederation (#​2100)

Bug fixes

  • Address perf regression introduced in 6.31.0 (#​2131)

6.31.0

This release contains work from the following PRs and commits:

6.30.1

This release contains work from the following PRs:

  • Modified token validation to be async throughout the call graph #​2075
  • Enforce key sizes when creating HMAC #​2072
  • Fix AotCompatibilityTests #​2066
  • Use up-to-date "now", in case take long time to get Metadata #​2063

This release addresses #​1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.

6.30.0

Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException

Indicate that a SecurityTokenDescriptor can create JWS or JWE
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2055
Specify 'UTC' in log messages
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@ceb10b1
Fix order of log messages
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@05eeeb5

Fixed issues with matching Jwt.Kid with a X509SecurityKey.x5t
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2057
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2061

Marked Exception that is no longer used as obsolete
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2060

Added support for AesGcm on .NET 6.0 or higher
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@85fa86a

First round of triming analysis preperation for AOT
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2042

Added new API on TokenHandler.ValidateTokenAsync(SecurityToken ...) implemented only on JsonWebTokenHandler.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2056

6.29.0

  • Add BootstrapRefreshInterval (#​2052)
  • Added net462 target (#​2049)
  • Create the configuration cache in the BaseConfigurationManager class (#​2048)

6.28.1

6.28.0

6.27.0

Servicing release
Set maximum depth for Newtonsoft parsing.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2024
Improve metadata failure message.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2010
Validate size of symmetric signatures.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2008
Added property TokenEndpoint to BaseConfiguration.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1998

6.26.1

Releasing a Hotfix for Wilson 6.26.0 that reverts async/await changes made in AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1996 to address a performance reduction issue.

6.26.0

Servicing release
Introducing a new boolean TokenValidationParameter LogTokenId.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2002
Update System.Text.Encodings.Web
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1997
Update ValidateToken call stack fully async
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1996
JsonWebTokenHandler to return the JsonWebToken on validation failure
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1989
Update documentation of DefaultTokenLifetimeInMinutes
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1988

6.25.1

Servicing release
.net was throwing when JWT tokens contained claims that used escaped characters.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1975
Fixed Typo in comments
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1971
Added inner exception to help diagnose when reading JWT tokens fails.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1968
Updated comments to improve understanding of RoleClaimTypeRetriever and NameClaimTypeRetriever
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1960

6.25.0

Add Instance property bag that is cleared when Clone is called.
Added comments to JsonWebTokenHandler and JwtSecurityTokenHandler to emphasize that ReadToken does not validate the token.
#​1952
#​1954

6.24.0

Single feature to control if exceptions are logged for Audience and Issuer failures.
Sometimes multiple policies are used, when a subsequent policy succeeds the upper layer can decide if previous exceptions should be logged.
#​1949

6.23.1

A simple 'dot' release to fix an issue where JsonWebTokenHandler virtual CreateClaimsIdentity was not called.
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1940

6.23.0

#​1934 JsonWebToken and JsonWebTokenHandler use System.Text.Json for JSON parsing for targets Net61+.
String splits have been removed and much of the duplicated string copying and processing has been removed resulting in a 20-25% performance increase.

#​1924 This delegate will be called just before a token has the SignatureValidated. This allows for preprocessing of the token prior to signature validation. This is currently only used by the JsonWebTokenHandler.

6.22.1

New Features:

Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:

System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this release offers extensibility to re-add the claims mapping.

Bug Fixes:

(#​1933) Wrong parameter order when calling ValidateLifetimeAndIssuerAfterSignatureNotValidatedJwt

6.22.0

New Features:

Unmasked non-PII properties in log messages -
In Microsoft.IdentityModel logs, previously only system metadata (DateTime, class name, httpmethod etc.) was displayed in clear text. For all other log arguments, the type was being logged to prevent Personally Identifiable Information (PII) from being displayed when ShowPII flag is turned OFF. To improve troubleshooting experience non-PII properties - Issuer, Audience, Key location, Key Id (kid) and some SAML constants will now be displayed in clear text. See issue #​1903 for more details.

Prefix Wilson header message to the first log message -
To always log the Wilson header (Version, DateTime, PII ON/OFF message), EventLogLevel.LogAlways was mapped to LogLevel.Critical in Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter class which caused confusion on why header was being displayed as a fatal log.
To address this, header is now prefixed to the first message logged by Wilson and separated with a newline. EventLogLevel.LogAlways has been remapped to LogLevel.Trace. See issue #​1907 for more details.

Bug Fixes:

Copy the IssuerSigningKeyResolverUsingConfiguration delegate in Clone() #​1909

6.21.0

Dependency Updates:

Updated Newtonsoft dependency to 13.0.2 #​1902

Bug Fixes:

Add M.IM.TestExtensions to strong name by pass. #​1897

Add early alerting for governance #​1896

Adjust log level #​1893

Fundamentals

Update newtonsoft per governance report #​1890

6.20.0

New Feature:

Microsoft.IdentityModel now provides a LoggerContext class to aid with debugging. See issue #​1876 for details.

Bug Fixes:

The cty claim is now optional. See issue #​1861 for details.

The signature of the token is no longer logged. See issue #​1880 for details.

ValidateHash method Alg is null when token is a JWE token. See issue #​1680 for details.

Fixed the issue the compaction actions are queued but potentially never got started. See issue #​1871 for details.

6.19.0

Enhancements

  • Introducing IdentityLoggerAdapter for Identity Libraries integrating (#​1862)

6.18.0

Enhancements

  • Simplify strings comparison with Ordinal option (#​1775)
  • Set 'cty' claim in JWE header (#​1588)
  • Added custom logger interface (#​1823)
  • log cert thumbprint (#​1820)
  • Introduced custom log level enum to remove dependency on System.Diagnostics.Tracing.EventLevel in IIdentityLogger (#​1843)

6.17.0

New Features

  • Added a new ConfigurationManager constructor with configuration validator (#​1825).

6.16.0

Enhancements

  • Make Microsoft.IdentityModel.Tokens visible to S2S.Tokens (#​1807).
  • Added the ValidateTokenAsyc() and ReadToken() methods to all token handlers (#​1810).

6.15.1

Enhancements

  • Performance improvement when caching signature providers. No need to use LRU logic since it is assumed only a small number of signature providers will be in play at a time (#​1783).
  • DisposableObjectPool disposes of objects on Free() when full (#​1802).

Bugs

  • TestTokenCreator modified to throw SecurityTokenInvalidSignatureException rather than ArgumentException(#​1798).
  • AadIssuerValidator fixed issue where AadIssuerValidatorConstants.Tid was used where AadIssuerValidatorConstants.TenantId should have been used (#​1801).

6.15.0

New Features

  • Added support for the Last Known Good feature (#​1723)
  • Made logging more legible by displaying Non-PII information in clear text (#​1757)
  • Added new GitHub Templates to report bugs (#​1756)
  • Added the OpenID standard scope "address" (#​1787)

Enhancements

  • Added multi-auth scheme support in AadIssuerValidator (#​1753)
  • Added default values for TokenValidationParameters (#​1767)
  • Improved logging to indicate issuer is an empty string (#​1758) (#​1761)
  • Improved exception handling when metadata retrieval results in a failure (#​1776)
  • Added string optimizations (#​1765)
  • Improved performance of Saml2 attributes consolidation (#​1764)
  • Updated comments to use references (#​1769)
  • Added new unit test samples that make negative testing easier for consumers of this library. These show the most common problem token types and gives examples for validation. (#​1748)

Bug Fixes

  • Fixed broken links to ietf.org (#​1723)

6.14.1

Bug Fixes:

The AadIssuerValidator in Microsoft.IdentityModel.Validators now uses the entire authority (instance + tenant ID), not just the authority host when validating the issuer. This was an issue which arose when using multiple authentication schemes. See issue #​1752 .

6.14.0

New Features

A new assembly, Microsoft.IdentityModel.Validators, is available! It provides an issuer validator for the Microsoft identity platform (AAD and AAD B2C), working for single and multi-tenant applications and v1 and v2 token types. See #​1736 and Microsoft.Identity.Web issue.

Bug Fixes

Fixes to determine when IsValid property has been checked. Includes a warning so developers ensure that token validation succeeded before reading the claims. See #​1718.

aka.ms link added for issuer validation failure. See issue #​1732.

Fix broken rfc link. See issue #​1728.

Add const for the OIDC scope "phone". See #​1720.

Use https for hyperlinks in XLM. See #​1719.

6.13.1

Updating comments to help improve correct usage
#​1705

SignedHttpRequests
New exceptions and delegate for validation.
#​1704

Base64UrlEncoder performance improvements
#​1698

Improve comments to clarify API usage and avoid unintentional validation weakening
#​1687

Modify how internal caching runs tasks
Change to starting the event queue task via the Task.Run() method so it is on the default task scheduler and will not interfere with caller's task scheduler as some custom task schedulers might be single threaded and execution can be blocked. The second change is replacing the BlockingCollection with ConcurrentQueue to prevent resource leaks
#​1696

Adding the BaseConfigurationManager and BaseConfiguration
This simplifies access to first class properties such as RefreshInterval etc.
Some of the properties in TokenValidationParameter were left as internal as they are required for a future feature that requires additional work.
#​1695

NOTE: Version 6.13.0 should NOT be used. In version 6.13.0, users were experiencing an issue where they could not use a ConfigurationManager where T is a custom class. This has been addressed in 6.13.1.

6.12.2

BugFixes

Stop the event queue task when event queue is empty (#​1685)

6.12.1

BugFixes

  • Fix double instantiation of Uri in IsHttps() (#​1676)

Enhancements and features

  • Enable deterministic builds for CI builds (#​1672).
  • Remove wait on first force refresh (#​1674)
  • Send additional data to metadata end point (#​1678)

6.12.0

Bug fixes

  • Addressed security bugs (#​1656, #​1661, #​1657).
  • Fixed the task leaking issue in the EventBasedLRUCache (#​1667).

Enhancements and features

  • Added support for decryption using AesGcm (#​1606).

6.11.1

Bug fix:

  • Fixing incorrect parameters when writing Saml2ProxyConditions (#​1646).

6.11.0

Enhancements and Features

Send SKU and Version details to metadata end point #​1632

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump System.IdentityModel.Tokens.Jwt to 6.34.0
437b5a0 
---
updated-dependencies:
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 6.34.0
  dependency-type: direct:production
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 6.34.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jul 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant