Sourced from WireMock.Net's changelog.

1.5.62 (27 July 2024)

• #1147 - Add FormUrlEncodedMatcher [feature] contributed by StefH
• #1143 - FormEncoded Request fails (404 Not Found) if key value pairs order in mapping is different from request body order [bug]

1.5.61 (22 July 2024)

• #1122 - Fix OpenApiPathsMapper [bug] contributed by StefH
• #1135 - Bump System.Text.Json from 4.7.2 to 8.0.4 in /examples/WireMock.Net.Console.Net472.Classic [dependencies] contributed by dependabot[bot]
• #1136 - Bump System.Text.Json from 8.0.0 to 8.0.4 in /src/dotnet-WireMock.Net [dependencies] contributed by dependabot[bot]
• #1137 - Add link to TIOBE Index on main page + fix issues [refactor] contributed by StefH
• #1138 - Fix some SonarCloud warnings [refactor] contributed by StefH
• #1141 - Update WireMockContainerBuilder.WithMappings for "includeSubDirectories" [feature] contributed by StefH
• #1142 - Make property FromConfiguredStub nullable (for WireMock.Org) [bug] contributed by StefH
• #1118 - Generating mappings from Payroc open-api file gives ArgumentException: Property with the same name already exists on object [bug]
• #1139 - Allow WithMappings to support scanning SubDirectories when building a WireMockContainer [feature]
• #1140 - WireMock.Org nullable properties and defaults [bug]

• 275816c Fix Directory.Build.props
• 3888b9b 1.5.62
• 3353be6 Add FormUrlEncodedMatcher (#1147)
• 926eaae 1.5.61
• d79f6f1 Fix OpenApiPathsMapper (#1122)
• 422e7c9 Make properyt FromConfiguredStub nullable (#1142)
• 6055b0d Fix some SonarCloud warnings (#1138)
• 6ab1a6f Update WireMockContainerBuilder.WithMappings for "includeSubDirectories" (#1141)
• 54edf0b Add link to TIOBE Index on main page + fix issues (#1137)
• baac83c Bump System.Text.Json from 8.0.0 to 8.0.4 in /src/dotnet-WireMock.Net (#1136)
• Additional commits viewable in compare view

Sourced from System.IdentityModel.Tokens.Jwt's releases.

6.34.0

Security fixes

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

6.33.0

Bug Fixes:

• Clean up log messages. See #2339 for details.
• Decouple JsonElements from JsonDocument, which causes issues in multi-threaded environments. See #2340 for details.

6.32.3

• Fix logging messages. See AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2288 for details.

6.32.2

Bug fixes:

• Underlying JsonDocument is never disposed, causing high latency in large scale services. See #2258 for details.

6.32.1

• Fix thread safety for JsonClaimSet Claims and JsonWebToken Audiences. See AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2185 for details.

6.32.0

New features:

• Adding an AAD specific signing key issuer validator. See issue #2134 for details.
• Better support for WsFederation (#2100)

Bug fixes

• Address perf regression introduced in 6.31.0 (#2131)

6.31.0

This release contains work from the following PRs and commits:

• Introduce ConfigurationValidationException(#2076)
• Disarm security artifacts(#2064)
• Throw SecurityTokenMalformedTokenException on malformed tokens(#2080)
• Add ClaimsMapping to JsonWebTokenHandler AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8e7f07e

6.30.1

This release contains work from the following PRs:

• Modified token validation to be async throughout the call graph #2075
• Enforce key sizes when creating HMAC #2072
• Fix AotCompatibilityTests #2066
• Use up-to-date "now", in case take long time to get Metadata #2063

This release addresses #1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.

6.30.0

Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException

Indicate that a SecurityTokenDescriptor can create JWS or JWE

... (truncated)

Sourced from System.IdentityModel.Tokens.Jwt's changelog.

See the releases for details on bug fixes and added features.

8.0.1

Bug fixes

• IdentityModel now resolves the public key to EPK. See issue #1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock. .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

8.0.0

CVE package updates

CVE-2024-30105

• See PR #2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. See issues Add Discovery.AwsApi multi-config support #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.
• Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #2673 for details.
• Rename local variables for better readability. See PR #2674 for details.
• Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.
• Fix flaky test. See issue #2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

• IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

... (truncated)

• edcac44 release with small r
• 6fac685 skip suffix for release builds
• 2f945a4 update version to 6.34.0
• 74cc160 Merged PR 10242: Update Dev6x to fix the release build
• 4845cf1 Merged PR 10239: Commenting out a constant which is not used
• e06dc84 Merged PR 10213: Set MaximumDeflateSize
• 0b2f269 Merged PR 10182: Don't resolve jku claim by default
• c3e99cd update build config version (#2350)
• 8ea36a8 Update CHANGELOG.md (#2348)
• 9d9925e [Log Scrubbing] Clean up log messages in Wilson (#2339) (#2344)
• Additional commits viewable in compare view

Sourced from Microsoft.IdentityModel.JsonWebTokens's releases.

6.34.0

Security fixes

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

6.33.0

Bug Fixes:

• Clean up log messages. See #2339 for details.
• Decouple JsonElements from JsonDocument, which causes issues in multi-threaded environments. See #2340 for details.

6.32.3

• Fix logging messages. See AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2288 for details.

6.32.2

Bug fixes:

• Underlying JsonDocument is never disposed, causing high latency in large scale services. See #2258 for details.

6.32.1

• Fix thread safety for JsonClaimSet Claims and JsonWebToken Audiences. See AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2185 for details.

6.32.0

New features:

• Adding an AAD specific signing key issuer validator. See issue #2134 for details.
• Better support for WsFederation (#2100)

Bug fixes

• Address perf regression introduced in 6.31.0 (#2131)

6.31.0

This release contains work from the following PRs and commits:

• Introduce ConfigurationValidationException(#2076)
• Disarm security artifacts(#2064)
• Throw SecurityTokenMalformedTokenException on malformed tokens(#2080)
• Add ClaimsMapping to JsonWebTokenHandler AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@8e7f07e

6.30.1

This release contains work from the following PRs:

• Modified token validation to be async throughout the call graph #2075
• Enforce key sizes when creating HMAC #2072
• Fix AotCompatibilityTests #2066
• Use up-to-date "now", in case take long time to get Metadata #2063

This release addresses #1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.

6.30.0

Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException

Indicate that a SecurityTokenDescriptor can create JWS or JWE

... (truncated)

Sourced from Microsoft.IdentityModel.JsonWebTokens's changelog.

See the releases for details on bug fixes and added features.

8.0.1

Bug fixes

• IdentityModel now resolves the public key to EPK. See issue #1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock. .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

8.0.0

CVE package updates

CVE-2024-30105

• See PR #2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. See issues Add Discovery.AwsApi multi-config support #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.
• Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #2673 for details.
• Rename local variables for better readability. See PR #2674 for details.
• Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.
• Fix flaky test. See issue #2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

Breaking changes:

• IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.

... (truncated)

• edcac44 release with small r
• 6fac685 skip suffix for release builds
• 2f945a4 update version to 6.34.0
• 74cc160 Merged PR 10242: Update Dev6x to fix the release build
• 4845cf1 Merged PR 10239: Commenting out a constant which is not used
• e06dc84 Merged PR 10213: Set MaximumDeflateSize
• 0b2f269 Merged PR 10182: Don't resolve jku claim by default
• c3e99cd update build config version (#2350)
• 8ea36a8 Update CHANGELOG.md (#2348)
• 9d9925e [Log Scrubbing] Clean up log messages in Wilson (#2339) (#2344)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)