Bump the nuget group with 3 updates#1
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Bumps Duende.IdentityServer from 6.3.7 to 7.0.8 Bumps MailKit from 4.5.0 to 4.16.0 Bumps MessagePack from 2.5.140 to 2.5.301 --- updated-dependencies: - dependency-name: Duende.IdentityServer dependency-version: 7.0.8 dependency-type: direct:production dependency-group: nuget - dependency-name: MailKit dependency-version: 4.16.0 dependency-type: direct:production dependency-group: nuget - dependency-name: MessagePack dependency-version: 2.5.301 dependency-type: direct:production dependency-group: nuget - dependency-name: Duende.IdentityServer dependency-version: 7.0.8 dependency-type: direct:production dependency-group: nuget - dependency-name: MailKit dependency-version: 4.16.0 dependency-type: direct:production dependency-group: nuget ... Signed-off-by: dependabot[bot] <support@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated Duende.IdentityServer from 6.3.7 to 7.0.8.
Release notes
Sourced from Duende.IdentityServer's releases.
7.0.8
This is a security hotfix that addresses CVE-2024-49755, a low-severity vulnerability in our handling of DPoP access tokens at local APIs. See
our blog post and the security advisory for more details.
7.0.7
This is a patch release that allows the
UserInteractionOptions.PromptValuesSupportedto be customized, in order to support custom prompt modes.What's Changed
Full Changelog: DuendeSoftware/products@7.0.6...7.0.7
7.0.6
This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.
7.0.5
This is a patch release that fixes bugs related to the prompt and max_age parameters and a null reference exception when the http context is not available during cleanup jobs. It also adds a warning log when we detect certain misconfigurations of the state data formatter cache.
What's Changed
Full Changelog: DuendeSoftware/products@7.0.4...7.0.5
7.0.4
This is a patch release that updates our dependency on ASP.NET framework packages from version 8.0.0 to version 8.0.3. This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.
What's Changed
Full Changelog: DuendeSoftware/products@7.0.3...7.0.4
7.0.3
This is a patch release that fixes a bug where
CryptographicExceptions would be thrown when hosting in IIS with theLoad user profileoption disabled.What's Changed
Full Changelog: DuendeSoftware/products@7.0.2...7.0.3
7.0.2
This is a patch release that fixes a performance bug in the license validation.
What's Changed
Full Changelog: DuendeSoftware/products@7.0.1...7.0.2
7.0.1
IdentityServer 7.0.1 reorganizes the OpenTelemetry metrics added in 7.0.0 in order to significantly improve their usability. The meter and counter names used in version 7.0.0 were not properly scoped, which caused issues in monitoring tools to the extent that many of the metrics would not be usable at all. We have therefore decided to rename our metrics. While this is a breaking change, we believe that a patch release close to the original 7.0.0 release is the least impactful way to resolve the situation.
Breaking Changes
For more details on the OTel Metrics, please see the documentation.
Full Changelog: DuendeSoftware/products@7.0.0...7.0.1
7.0.0
IdentityServer 7 is a major release that includes:
Full Changelog
.NET 8
IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.
TimeProviderbased clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.Pushed Authorization Requests
IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.
OpenTelemetry Metrics
IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.
Reusable Refresh Tokens
Refresh tokens are now reusable by default. Rotated refresh tokens have historically been encouraged (and been our default), however more recent guidance from the IETF and our own experience have shown that rotation is not usually helpful from a security point of view but is actively harmful to the user experience and produces greater load on the data store.
Rotation of refresh tokens often does not improve their security because a sophisticated attacker can observe the rotation happening while the user is active, and only make use of the final token after the user is no longer active. See OAuth for Browser Based Apps for more details on this sort of attack.
Rotation harms the user experience, because if the token is rotated, but the network response with the new token fails, the user will have to log in again.
Rotation adds pressure on the data store because each time the token rotates, the old record must be updated and a new record written.
Given all these considerations, we have changed our default for
RefreshTokenUsagetoReUse. Also see #1500.Token Cleanup Job Improvements
The token cleanup job has historically been the cause of database contention, especially in load-balanced environments, as multiple instances of the job each try to update the table. This release includes a new implementation of the cleanup job which uses EntityFramework's execute delete api to improve performance as well as randomizing the initial startup time of the cleanup job, to help reduce the amount of concurrency across instances. See #1501.
Breaking Changes
Likely to impact most implementations
Duende.IdentityServer.EntityFrameworknow uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463.Client.RequirePushedAuthorizationis a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.Client.PushedAuthorizationLifetimeis a new nullable integer property that controls the lifetime of pushed authorization requests (in seconds) for a client. If this lifetime is set, it takes precedence over the global configuration. It is safe to initialize this column tonullfor existing clients, which means the global configuration is used.Only impacts particular customizations or edge cases
The
DefaultCorsPolicyServicenow depends on theIConfigurationDbContextdirectly, instead of taking a dependency on theIServiceProviderand resolving that DbContext from it. If you have a customized CORS implementation that derives from theDefaultCorsPolicyService, you need to update the constructor of your derived class to use theIConfigurationDbContext. See #1239.The
DPoPProofValidatonContexthas been refactored. Instead of theClientproperty, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of theIDPoPProofValidatoror a class that derives from theDefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.The
DefaultTokenServiceno longer includes anIHttpContextAccessor. This member was unused by the default implementation and marked as obsolete. Customizations that derive from theDefaultTokenServiceno longer need to pass the accessor to the base constructor. If such a customization needs the accessor, add it to the derived class. See #1457.... (truncated)
7.0.0-rc.1
Identity Server 7.0.0 RC 1 is the release candidate for IdentityServer 7. IdentityServer 7 includes support for .NET 8, pushed authorization requests, OpenTelemetry metrics, cleanup job improvements, and many other fixes and enhancements.
What's New since Preview 2
See below for more details and links to related PRs.
IdentityServerToolsclass now implements the newIIdentityServerToolsinterface, to facilitate testing.ServerSideSideSessionRefreshTokenService.ValidateRefreshTokenAsyncis now a virtual method, to facilitate customization.ICustomBackchannelAuthenticationValidatorinterface has been added to facilitate custom CIBA validation.Propertiesto facilitate custom request and response parameters.StrictRedirectUriValidatorAppAuthhas been fixed.ErrorMessageclass.ValidatedBackchannelAuthenticationRequest.RequestedResourceIndiatorsproperty was renamed toRequestedResourceIndicators(corrects spelling of indicators).Full v7.0.0 Changelog
.NET 8
IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.
TimeProviderbased clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.Pushed Authorization Requests
IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.
OpenTelemetry Metrics
IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.
Reusable Refresh Tokens
Refresh tokens are now reusable by default. Rotated refresh tokens have historically been encouraged (and been our default), however more recent guidance from the IETF and our own experience have shown that rotation is not usually helpful from a security point of view but is actively harmful to the user experience and produces greater load on the data store.
Rotation of refresh tokens often does not improve their security because a sophisticated attacker can observe the rotation happening while the user is active, and only make use of the final token after the user is no longer active. See OAuth for Browser Based Apps for more details on this sort of attack.
Rotation harms the user experience, because if the token is rotated, but the network response with the new token fails, the user will have to log in again.
Rotation adds pressure on the data store because each time the token rotates, the old record must be updated and a new record written.
Given all these considerations, we have changed our default for
RefreshTokenUsagetoReUse. Also see #1500.Token Cleanup Job Improvements
The token cleanup job has historically been the cause of database contention, especially in load-balanced environments, as multiple instances of the job each try to update the table. This release includes a new implementation of the cleanup job which uses EntityFramework's execute delete api to improve performance as well as randomizing the initial startup time of the cleanup job, to help reduce the amount of concurrency across instances. See #1501.
Breaking Changes
Likely to impact most implementations
Duende.IdentityServer.EntityFrameworknow uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463.Client.RequirePushedAuthorizationis a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.... (truncated)
7.0.0-preview.2
Identity Server 7.0.0 Preview 2 previews support for .NET 8, pushed authorization requests, OpenTelemetry Metrics, and many other fixes and improvements.
.NET 8
IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.
TimeProviderbased clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.Pushed Authorization Requests
IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.
OpenTelemetry Metrics
IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.
Breaking Changes
Likely to impact most implementations
Duende.IdentityServer.EntityFrameworknow uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463.Client.RequirePushedAuthorizationis a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.Client.PushedAuthorizationLifetimeis a new nullable integer property that controls the lifetime of pushed authorization requests (in seconds) for a client. If this lifetime is set, it takes precedence over the global configuration. It is safe to initialize this column tonullfor existing clients, which means the global configuration is used.Only impacts particular customizations or edge cases
The
DefaultCorsPolicyServicenow depends on theIConfigurationDbContextdirectly, instead of taking a dependency on theIServiceProviderand resolving that DbContext from it. If you have a customized CORS implementation that derives from theDefaultCorsPolicyService, you need to update the constructor of your derived class to use theIConfigurationDbContext. See #1239.The
DPoPProofValidatonContexthas been refactored. Instead of theClientproperty, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of theIDPoPProofValidatoror a class that derives from theDefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.The
DefaultTokenServiceno longer includes anIHttpContextAccessor. This member was unused by the default implementation and marked as obsolete. Customizations that derive from theDefaultTokenServiceno longer need to pass the accessor to the base constructor. If such a customization needs the accessor, add it to the derived class. See #1457.The reference token store now includes the session id when revoking reference tokens. Implementors of
IReferenceTokenStoreshould update their implementation of token revocation to include the session id. See #1321.Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.
Newly Deprecated
IAuthorizationParametersMessageStoreis deprecated. PAR is a more robust/standardized approach to get similar benefits. See #1462.The
IHttpContextAccessorin theEndSessionRequestValidatoris unused and has been marked as obsolete. It will be removed in a future version. See #1457.Previously Deprecated, Now Removed
IdentityServerOriginconstant has been removed.HttpContexthave been removed. These methods are replaced by methods inIServerUrlsandIIssuerNameService. See #1457HttpContext.GetSchemeSupportsSignOutAsyncis replaced byIAuthenticationHandlerProvider.GetHandlerAsync(you will also need to check if the handler implementsIAuthenticationSignOutHandler).HttpContext.GetIdentityServerOriginandHttpContext.SetIdentityServerOriginare replaced byIServerUrls.Origin.HttpContext.GetIdentityServerBasePathandHttpContext.SetIdentityServerBasePathare replaced byIServerUrls.BasePath.GetIdentityServerHostis replaced byIServerUrls.OriginGetIdentityServerBaseUrlis replaced byIServerUrls.BaseUrlGetIdentityServerRelativeUrlis replaced byIServerUrls.GetIdentityServerRelativeUrlGetIdentityServerIssuerUriis replaced byIIssuerNameService.GetCurrentAsyncRedirectToAbsoluteUrlis replaced by redirecting to a call toIServerUrls.GetAbsoluteUrl.IUserSessionExtensionsinterface has been removed. See #1457.... (truncated)
7.0.0-preview.1
Identity Server 7.0.0 Preview 1 previews support for .NET 8, as well as many other fixes and improvements.
.NET 8
IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.
TimeProviderbased clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.Breaking Changes
Breaking changes are organized below based on the likelihood that they will impact your implementation. In summary, IdentityServer 7 preview 1 will require that you update to .NET 8, and may require minor changes if you are using particular extensibility points.
Likely to impact most implementations
Only impacts particular customizations or edge cases
The
DefaultCorsPolicyServicenow depends on theIConfigurationDbContextdirectly, instead of taking a dependency on theIServiceProviderand resolving that DbContext from it. If you have a customized CORS implementation that derives from theDefaultCorsPolicyService, you need to update the constructor of your derived class to use theIConfigurationDbContext. See #1239.The
DPoPProofValidatonContexthas been refactored. Instead of theClientproperty, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of theIDPoPProofValidatoror a class that derives from theDefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.The reference token store now includes the session id when revoking reference tokens. Implementors of
IReferenceTokenStoreshould update their implementation of token revocation to include the session id. See #1321.Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.
Unlikely to impact anyone
The
KeyManagementOptions.SigningAlgorithmsis now anICollectionrather than anIEnumerable. If you are configuring signing algorithms using code, and setting theSigningAlgorithmsto some type that implementsIEnumerablebut notICollection, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are both ICollections). See #1375.The value of the constant
IdentityServerAuthenticationTypehas changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.Improvements
IHttpResponseWriterto write their http responses. This facilitates customization, when you need to control the way that http responses are written. This change was made in a way that was designed to be backwards compatible. Any customIEndpointResultorIEndpointHandlershould still work the way they used to. See #1342.IdentityServerEntityFrameworktemplate now supports theInitiateLoginUriclient property. See #1314.Bug Fixes
KeyManagementOptionsto be bound from appsettings.json or other config sources. See #1375.Full Changelog: DuendeSoftware/products@6.3.5...7.0.0-preview.1
6.3.10
This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.
6.3.9
This is a patch release that updates our dependency on ASP.NET framework packages from version 6.0.0 (or 7.00) to version 6.0.26 (or 7.0.15). This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.
What's Changed
Full Changelog: DuendeSoftware/products@6.3.8...6.3.9
6.3.8
This is a minor release that improves error handling of grant deserialization.
What's Changed
Full Changelog: DuendeSoftware/products@6.3.7...6.3.8
Commits viewable in compare view.
Updated MailKit from 4.5.0 to 4.16.0.
Release notes
Sourced from MailKit's releases.
No release notes found for this version range.
Commits viewable in compare view.
Updated MessagePack from 2.5.140 to 2.5.301.
Release notes
Sourced from MessagePack's releases.
2.5.301
Security release
This release fixes 2 high severity and 9 moderate severity security vulnerabilities as listed below.
This release is missing #2269 from the v2.5.205 release. We recommend folks adopt the v2.5.302 release which has all the security fixes combined.
High severity advisory fixes
Moderage severity advisory fixes
Fixes with no security advisory
2.5.205
What's Changed
New Contributors
Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.192...v2.5.205
2.5.198
What's Changed
New Contributors
Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.192...v2.5.198
2.5.192
What's Changed
Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.187...v2.5.192
2.5.187
Changes:
This list of changes was auto generated.
2.5.172
What's Changed
[MessagePackFormatter]on parameters and return values by @AArnott in Allow applying[MessagePackFormatter]on parameters and return values MessagePack-CSharp/MessagePack-CSharp#1901Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.171...v2.5.172
2.5.171
What's Changed
Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.168...v2.5.171
2.5.168
What's Changed
New Contributors
Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v2.5.140...v2.5.168
Commits viewable in compare view.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.