Skip to content

Update dependency System.IdentityModel.Tokens.Jwt to 6.34.0 #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency System.IdentityModel.Tokens.Jwt to 6.34.0 #35

wants to merge 1 commit into from

Conversation

@mend-for-github.amrom.workers.dev
Copy link

@mend-for-github.amrom.workers.dev mend-for-github.amrom.workers.dev bot commented Aug 2, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
System.IdentityModel.Tokens.Jwt nuget minor 6.21.0 -> 6.34.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability
Medium Medium 6.8 CVE-2024-21319

Release Notes

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (System.IdentityModel.Tokens.Jwt)

v6.34.0

Security fixes

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

v6.33.0: 6.33.0

Bug Fixes:
  • Clean up log messages. See #​2339 for details.
  • Decouple JsonElements from JsonDocument, which causes issues in multi-threaded environments. See #​2340 for details.

v6.32.3

Compare Source

=======

Bug fixes:

  • Fix logging messages. See #​2288 for details.

v6.32.2

Compare Source

=======

Bug fixes:

  • Underlying JsonDocument is never disposed, causing high latency in large scale services. See #​2258 for details.

v6.32.1

=======

Bug fixes:

  • Fix thread safety for JsonClaimSet Claims and JsonWebToken Audiences. See #​2185 for details.

v6.32.0

=======

New features:

  • Adding an AAD specific signing key issuer validator. See issue #​2134 for details.
  • Better support for WsFederation. See PR for details.

Bug fixes

  • Address perf regression introduced in 6.31.0. See PR for details.

v6.31.0

Compare Source

========
This release contains work from the following PRs and commits:

v6.30.1

Compare Source

=========
This release contains work from the following PRs:

  • Modified token validation to be async throughout the call graph #​2075
  • Enforce key sizes when creating HMAC #​2072
  • Fix AotCompatibilityTests #​2066
  • Use up-to-date "now", in case take long time to get Metadata #​2063

This release addresses #​1743 and, as such, going forward if the SymmetricKey is smaller than the required size for HMAC IdentityModel will throw an ArgumentOutOfRangeException which is the same exception when the SymmetricKey is smaller than the minimum key size for encryption.

v6.30.0

Compare Source

=========
Beginning in release 6.28.0 the library stopped throwing SecurityTokenUnableToValidateException. This version (6.30.0) marks the exception type as obsolete to make this change more discoverable. Not including it in the release notes explicitly for 6.28.0 was a mistake. This exception type will be removed completely in the next few months as the team moves towards a major version bump. More information on how to replace the usage going forward can be found here: https://aka.ms/SecurityTokenUnableToValidateException

Indicate that a SecurityTokenDescriptor can create JWS or JWE
#​2055
Specify 'UTC' in log messages
ceb10b1
Fix order of log messages
05eeeb5

Fixed issues with matching Jwt.Kid with a X509SecurityKey.x5t
#​2057
#​2061

Marked Exception that is no longer used as obsolete
#​2060

Added support for AesGcm on .NET 6.0 or higher
85fa86a

First round of trimming analysis preparation for AOT
#​2042

Added new API on TokenHandler.ValidateTokenAsync(SecurityToken ...) implemented only on JsonWebTokenHandler.
#​2056

v6.29.0

Compare Source

=========

  • Add BootstrapRefreshInterval (#​2052)
  • Added net462 target (#​2049)
  • Create the configuration cache in the BaseConfigurationManager class (#​2048)

v6.28.1

Compare Source

=========

  • Add BootstrapRefreshInterval (#​2052)
  • Added net462 target (#​2049)
  • Create the configuration cache in the BaseConfigurationManager class (#​2048)

v6.28.0

Compare Source

========

  • Update Wilson logs with aka.ms pointers to known wikis in #​2027
  • Fix typo in documentation #​2034
  • Introduce a LKG configuration cache to store each valid base configuration instead of a single entry of configuration #​2007
  • Add encryption keys to base configuration #​2023
  • Updated CHANGELOG link #​2026

v6.27.0

========
Servicing release
Set maximum depth for Newtonsoft parsing.
#​2024
Improve metadata failure message.
#​2010
Validate size of symmetric signatures.
#​2008
Added property TokenEndpoint to BaseConfiguration.
#​1998

v6.26.1

=========

Bug Fixes:

Releasing a Hotfix for Wilson 6.26.0 that reverts async/await changes made in #​1996 to address a performance reduction issue.

  • Changes are in #​2015
  • Root cause analysis and fix will be tracked in #​2017

v6.26.0

Compare Source

Servicing release
Introducing a new boolean TokenValidationParameter LogTokenId.
#​2002
Update System.Text.Encodings.Web
#​1997
Update ValidateToken call stack fully async
#​1996
JsonWebTokenHandler to return the JsonWebToken on validation failure
#​1989
Update documentation of DefaultTokenLifetimeInMinutes
#​1988

v6.25.1

Compare Source

Servicing release
.net was throwing when JWT tokens contained claims that used escaped characters.
#​1975
Fixed Typo in comments
#​1971
Added inner exception to help diagnose when reading JWT tokens fails.
#​1968
Updated comments to improve understanding of RoleClaimTypeRetriever and NameClaimTypeRetriever
#​1960

v6.25.0

Compare Source

Add Instance property bag that is cleared when Clone is called.
Added comments to JsonWebTokenHandler and JwtSecurityTokenHandler to emphasize that ReadToken does not validate the token.
#​1952
#​1954

v6.24.0

Compare Source

Single feature to control if exceptions are logged for Audience and Issuer failures.
Sometimes multiple policies are used, when a subsequent policy succeeds the upper layer can decide if previous exceptions should be logged.
#​1949

v6.23.1

Compare Source

A simple 'dot' release to fix an issue where JsonWebTokenHandler virtual CreateClaimsIdentity was not called.
#​1940

v6.23.0

Compare Source

=========

New Features:

Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:

System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.

Bug Fixes:

v6.22.1

Compare Source

=========

New Features:

Microsoft.IdentityModel has two assemblies to manipulate JWT tokens:

System.IdentityModel.Tokens.Jwt, which is the legacy assembly. It defines JwtSecurityTokenHandler class to manipulate JWT tokens.
Microsoft.IdentityModel.JsonWebTokens, which defines the JsonWebToken class and JsonWebTokenHandler, more modern, and more efficient.
When using JwtSecurityTokenHandler, the short named claims (oid, tid), used to be transformed into the long named claims (with a namespace). With JsonWebTokenHandler this is no longer the case, but when you migrate your application from using JwtSecurityTokenHandler to JsonWebTokenHandler (or use a framework that does), you will only get original claims sent by the IdP. This is more efficient, and occupies less space, but might trigger a lot of changes in your application. In order to make it easier for people to migrate without changing their app too much, this PR offers extensibility to re-add the claims mapping.

Bug Fixes:

v6.22.0

Compare Source

=========

New Features:

Unmasked non-PII properties in log messages -
In Microsoft.IdentityModel logs, previously only system metadata (DateTime, class name, httpmethod etc.) was displayed in clear text. For all other log arguments, the type was being logged to prevent Personally Identifiable Information (PII) from being displayed when ShowPII flag is turned OFF. To improve troubleshooting experience non-PII properties - Issuer, Audience, Key location, Key Id (kid) and some SAML constants will now be displayed in clear text. See issue #​1903 for more details.

Prefix Wilson header message to the first log message -
To always log the Wilson header (Version, DateTime, PII ON/OFF message), EventLogLevel.LogAlways was mapped to LogLevel.Critical in Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter class which caused confusion on why header was being displayed as a fatal log.
To address this, header is now prefixed to the first message logged by Wilson and separated with a newline. EventLogLevel.LogAlways has been remapped to LogLevel.Trace. See issue #​1907 for more details.

Bug Fixes:

Copy the IssuerSigningKeyResolverUsingConfiguration delegate in Clone() #​1909

  • If you want to rebase/retry this PR, check this box

@mend-for-github.amrom.workers.dev mend-for-github.amrom.workers.dev bot added the security fix Security fix generated by Mend label Aug 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant