Update dotnet-azure-ad-microsoft-identity-web monorepo to 2.21.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Microsoft.Identity.Web	2.13.1 → 2.21.1
Microsoft.Identity.Web.TokenCache	2.13.1 → 2.21.1
Microsoft.Identity.Web.UI	2.13.1 → 2.21.1

---

Release Notes

AzureAD/microsoft-identity-web (Microsoft.Identity.Web)

v2.21.0

Compare Source

2.21.0

• Updated to Microsoft.IdentityModel 7.7.0

CVE package updates

CVE-2024-30105

v2.20.0

2.20.0

• Updated to Microsoft.Identity.Abstractions 6.0.0 which adds one method to IAuthorizationHeaderProvider

New features

• Implements the updated IAuthorizationHeaderProvider interface (the new method CreateAuthorizationHeaderForAppAsync). See issue #​2907
• If an IMsalHttpClientFactory is added to the service collection, it's not used by IdWeb token acquisition. See issue #​2911
  This will be use to enable some IPv6 scenarios.

Bug fixes

• Fix metadata address creation when using AddMicrosoftIdentityWebApp. See issue #​2752
• Use MSAL.NET instead of DefaultAzureCredential for Federation identity credentials scenario. See 2894

Fundamentals

• Updating Lab Api to 0.13.3

v2.19.0

Compare Source

2.19.0

• Updated to Microsoft.IdentityModel.* 7.6.0

New features

• Id Web now provides a .WithUser() modifier to the Microsoft Graph queries (like WithAppOnly()). See issue #​2855 for details.
• Id Web now provides a base class for implementing a custom IAuthorizationHeaderProvider. See issue #​2856 for details.

Bug fixes

• Id Web now processes the extra query parameters when included as part of the authority. See issue #​2697 for details.

v2.18.2

Compare Source

2.18.2

New feature

• Target Microsoft.IdentityModel 7x in OWIN targets, see issue #​2785 for details.

Bug fixes

• Id Web now accepts an env var to disable interactive auth for KeyVaultCertificateLoader, see issue #​2647 for details.
• Id Web token acquisition on ASP.NET Core 2.x on net472 or net48 implements ITokenAquirerFactory, see issue #​2849 for details.

v2.18.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 7.5.1

Bug fix

• Fix for FIC due to appending ./default, see issue #​2796 for details.

v2.18.0

Compare Source

=========

• Updated to Microsoft.Identity.Abstractions 5.3.0
• Updated Azure.Security libraries to 4.6.0

New features

• Added support for Managed Identity Federated Identity Credential. See issue #​2749 for details.
• Added support to read a section to register multiple downstream APIs. See issue #​2255 for details.

Bug fix

• TokenAcquirer factory is now thread safe and can handle multiple azure regions. See issue #​2765 for details.

v2.17.5

Compare Source

=========

• Updated to MSAL 4.59.1.

v2.17.4

Compare Source

=========

Bug fix

• Fix assertions being removed from dict before callback is executed in TokenAcquisition. See issue #​2734 for details.

v2.17.3

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 7.5.0

v2.17.2

Compare Source

=========

New features

• Added support for CIAM custom user domains. You can now use an Open ID connect authority in the "Authority" property of the configuration instead of using "Instance" and "Tenant". See issue #​2690 for details.

v2.17.1

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 7.4.0

New features

• DownstreamApi now automatically processes claims challenge from web APIs which are CAE enabled, provided you set "ClientCapablities" : ["cp1"] in the configuation. See issue #​2550.

Bug fixes

• Fixes the use of ServiceDescriptor for containers which have keyed services present. This can be an issue on .NET 8.0. See issue #​2676 for details.

Engineering excellence

• Calls to ConfidentialClientApplicationBuilderExtension.WithClientCredentials are fully async. See issue #​2566 for details.

v2.17.0

Compare Source

=========

• Updated to Microsoft.IdentityModel.* 7.3.1 and MSAL.NET 4.59.0

New features

• Added support for Microsoft.NET.Sdk.Worker. See Worker calling APIs
• Added support for Managed identity when calling a downstream API on behalf of the app. See Calling APIs with Managed Identity and PR 2650. For details see PR #​2645

Bug fixes

• In OWIN applications, GetTokenForUserAsync now respects the ClaimsPrincipal. See issue #​2629 for details.
• After setting AddTokenAcquisition(useSingleton:true) to use token acquisition as a singleton, if you use .AddMicrosoftGraph and/or .AddDownstreamApi after this call,
  the GraphServiceClient and IDownstreamApis are now registered as a singleton service. For details see PR #​2645
• Added check Against Injection Attacks. For details see PR 2619

Engineering excellence

• Added a benchmark running on PR merges, available from https://azuread.github.io/microsoft-identity-web/benchmarks on GitHub pages

v2.16.1

Compare Source

=========

• Update Microsoft.Identity.Abstractions 5.1.0 and Microsoft.IdentityModel.* 7.1.2

Bug Fixes

• In OWIN, Id Web now respects the passed in user argument. See issue #​2585 for details.

v2.16.0

Compare Source

=========

• Leverage IdentityModel 7.x on all .NET core frameworks.

v2.15.5

Compare Source

=========

• Update to .NET 8 GA
• Update to Microsoft.Graph 5.34.0

Bug Fixes

• Fixes an issue where users were not able to override ICredentialsLoader. See #​2564 for details.
• The latest patch version is no longer used in dependencies, as it made builds non-deterministic. See #​2569 for details.
• Removed dependencies that were no longer needed. See #​2577 for details.
• Fixes an issue where the build did not look up project names as package dependencies. See #​2579 for more details.

Fundamentals

• Enable baseline package validation, see #​2572 for details.
• Improve trimmability on .NET 8, see #​2574 for details.

v2.15.3

Compare Source

=========

• Update Azure.Identity library to 1.10.2 for CVE-2023-36414.

Bug Fixes:

• Microsoft.Identity.Web honors the user-provided value for the cache expiry for in-memory cache. See #​2466 for details.

v2.15.2

Compare Source

=========

• For the .NET 8 rc2 target framework, the IdentityModel dependencies have been updated to Identity.Model.*.7.0.3.

Bug Fixes

• Fixes a regression introduced in 2.15.0 where the OnTokenValidated delegates were no longer chained with an await. See issue#​2513.

v2.15.1

=========

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

v2.14.0

=========

• Update to Abstractions 5.0.0
• Include new OpenIdConnect options from net 8. See PR #​2462

Bug Fixes

• Chain the OnMessageReceived event. See PR #​2468

v2.13.4

Compare Source

=========

• Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
• Update to MSAL 4.56.0, which now
  enables the cache synchronization by default
• Support for .NET 8 preview 7. See PR #​2430

Bug fixes

• In Microsoft.Identity.Web.Owin, removed un-needed reference to Microsoft.Aspnet.WebApi.HelpPage. See issue #​2417
• Fix to accommodate for breaking change in ASP.NET Core on .NET 8 that the SecurityToken is now a JsonWebToken. See issue #​2420
• Improved the usability of IDownstreamApi by checking all HttpResponse for success before returning to the caller, instead of swallowing issues. This is a change of behavior. See issue #​2426
• Improvement/Fix of OWIN scenarios, especially the session with B2C: #​2388
• Fix an issue with CIAM web APIs and added two CIAM test apps. See PR #​2411
• Fix a bug that is now surfaced by the .NET 8 runtime. See issue #​2448
• Added a lock while loading credentials. See issue #​2439

Fundamentals

• performance improvements: #​2414
• Replaced Selenim with Playwright for more reliable faster UI tests. See issue #​2354
• Added MSAL telemetry about the kind of token cache used (L1/L2). See issue #​1900
• Resilience improvement: IdWeb now attempts to reload a certificate from its description when AAD returns "certificate revoked" error. See issue #​244

v2.13.3

Compare Source

=========

• Update to IdentityModel 7.0.0-preview2 on .NET 8.

New features:

• Support langversion 11, which as fewer allocations compared to 10. See issue #​2351.
• In AspNET Core 3.1 and Net 5+, Microsoft.Identity.Web now use the DefaultTokenAcquisitionHost (the host for SDK apps) instead of the
  Asp.NET Core one, when the service collection was not initialized by ASP.NET Core (that is the IWebHostEnvironment is not present in the collection. If you want the ASP.NET Core host, you would need to use the WebApplication.CreateBuilder().Services instead
  of instantiating a simple service collection.
• In web APIs, GetAuthenticationResultForUserAsync tries to find the inbound token from user.Identity.BootstrapContext first (if not null), and then from the token acquisition host. This will help for non-asp.NET Core Azure functions for instance.
  See issue #​2371 for details.

v2.13.2

Compare Source

=========

Bug fixes:

• Fix bug found in usage of AzureAD key issuer validator, see issue #​2323.
• Improved performance in downstreamAPI, see issue #​2355 for details.
• Address duplicate cache entries, with singleton token acquisition, which was causing much larger cache size than needed. See issue #​2349.
• Distributed cache logger now prints correct cache entry size, see issue #​2348

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.