Microsoft.Identity.Web now surfaces the Microsoft.IdentityModel. logs via the IIdentityLogger
*. Developers will see an increase in logging, with insight into the request validation logs, especially for web APIs. See issue #1730 for details.
Regression fix where AddMicrosoftIdentityUserAuthenticationHandler
needs a scoped service, not a singleton. See issue #1757 for details.
Microsoft.Identity.Web now supports checking for scopes or app permissions, via the RequestedScopeOrAppPermissionAttribute
. See issue #1641 for details.
Extend TokenAcquisitionTokenCredential concept to support tokens as app. See issue #1723 for details.
IJwtBearerMiddlewareDiagnostics is now transient and not a singleton. See issue #1710 for details.
In web API scenario, use the tid
claim of the incoming assertion, unless overridden. See issue #1738 for details.
Microsoft.Identity.Web now returns TokenValidatedContext.Fail
instead of throwing UnauthorizedAccessException
in case of missing roles or scopes, which enables a better developer experience. See issue #1716 for details.
Update to Microsoft.IdentityModel 6.17.0.
Preview only. Support cert-less authentication. See issues #1591 and #1699 for details.
Improved support for inheriting/customizing MicrosoftIdentity*AuthenticationHandler
. See issue #1667 for details.
Fix a regression in ScopeAuthorizationHandler. See issue #1707 for details.
Fix null ref in merged options and log the AuthenticationScheme that was used. See issues #1440 and #1443 for details.
Fix xml parameter description. See issue #1677 for details.
Fix reading environment variable in app service auth. See issue #1506 for details.
Fix error message in DefaultCertficateLoader. See issue #1702 for details.
Update to MSAL.NET 4.42.0.
Microsoft.Identity.Web.TokenCache now throws an actionable error message when the L2 cache deserialization fails, which can happen when the encrypt key of a shared distributed cache are different on different machines. See issues #1643 and MSAL issue 3162 for details.
Fix a null reference when using ITokenAcquisition in a background callback in a web wepp. See issue #1656 for details.
Update to MSAL.NET 4.41.0.
Microsoft Identity Web now supports hybrid SPA. See issue #1528 for details.
Fix a null reference when the web API is initialized with delegates and called from an event handler, without configuration. See issues #1615 and #1602 for details.
Update to Microsoft.IdentityModel 6.15.1.
Microsoft.Identity.Web now also checks the data.RequiredScopesConfigurationKey
when setting the RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")
attribute. See issue #1600 for details.
Fix issue around user assigned managed identity when loading KeyVault certificates. See issue #1598 for details.
Update to MSAL.NET 4.40.0.
Microsoft Identity Web, as a proof of concept, supports certificate-less auth using Managed Service Identity (MSI). See issue #1585 for details.
Microsoft Identity Web now allows you set the request headers for the IDownstreamWebAPI. See issues #1063 and #891 for details.
Microsoft.Identity.Web.TokenCache exposes a boolean EnableAsyncL2Write
as part of the MsalDistributedTokenCacheAdapterOptions
, which enables you to do async writes (fire and forget) to the L2 cache. See issue #1047 and #1526 for details.
When integrating with the MISE pipeline, client certificates are now taken into account when calling downstream APIs in controllers. See issue #1583 for details.
When using the L1/L2 cache, the L2 eviction is now based on the token expiration value from MSAL.NET, similar to what is done with the L1 eviction. See issue #1566 for details.
Add an SBOM generate to release builds. See issue #1546 for details.
Update to Microsoft.Graph 4.11.0, Microsoft.Graph.Beta 4.22.0-preview, MSAL.NET 4.39.0, Microsoft.IdentityModel 6.15.0.
Update to Microsoft.Graph 4.10.0, Microsoft.Graph.Beta 4.20.0-preview, MSAL.NET 4.38.0
Microsoft.Identity.Web now supports a long running process in web APIs, by leveraging new APIs in MSAL.NET 4.38.0. See the Long running process article and issue #1414 for details.
Honor TenantId
in .WithAppOnly()
. See issue #1536 for details.
Azure Region not prepended to the endpoint, have fixed a regression in the MergedOptions
. See issue #1535 for details.
Update Microsoft.AspNetCore.Authentication.JwtBearer
to 5.0.12, due to security vulnerability in previous version. See issue #1532 for details.
Update to Microsoft.Graph 4.9.0, Microsoft.Graph.Beta 4.19.0-preview, Microsoft.IdentityModel 6.14.1.
Microsoft.Identity.Web.TokenCache now offers the possiblity of defining MemoryCacheOptions, such as eviction and size limit options with the InMemoryCache for .NET Framework. See issue #1521 for details.
Bug fix in M.IM.Validators when dealing with multiple auth schemes. See release notes for details.
Update to Microsoft.Graph 4.8.0, Microsoft.Graph.Beta 4.18.0-preview, Microsoft.IdentityModel 6.14, and MSAL.NET 4.37.0.
A new assembly, Microsoft.IdentityModel.Validators, is now leveraged in Microsoft.Identity.Web as the AadIssuerValidator. It provides an issuer validator for the Microsoft identity platform (AAD and AAD B2C), working for single and multi-tenant applications and v1 and v2 token types. See Identity.Model and #1487. The MicrosoftIdentityIssuerValidatorFactory
is still in Microsoft.Identity.Web and leverages this new Identity.Model library
Microsoft.Identity.Web now supports authentication handlers other than JwtBearer, and the token acquisition in web API understands a higher level abstraction of SecurityToken, not only JwtSecurityToken
. See #1498.
Make Certificate
in CertificateDescription.cs
protected internal
. See #1484.
This preview release contains a preview version of MSAL.NET, 4.37.0-preview, which includes token cache improvements. The .AddMemoryCache
should now be much faster, but the memory is not bounded, nor does it have any eviction policies, so not recommended for use in production if user flows are involved (GetTokenForUser
). Once MSAL.NET releases 4.37.0, Microsoft.Identity.Web will release an out of preview version as well.
Update to Microsoft.Graph 4.6.0, Microsoft.Graph.Beta 4.14.0-preview, and MSAL.NET 4.36.2.
Change RequiredScope to be based on policies and not filters. This enables new scenarios that do not rely on MVC filters. See issue #1002 for details.
Allow customizing the UI processing by decoupling the Microsoft.Identity.Web
and Microsoft.Identity.Web.Ui
packages. See issue #1034 for details.
Use backup authentication system
in docs and comments instead of CCS. See issue #1464 for details.
Microsoft.Identity.Web now provides two additional NuGet packages: Microsoft.Identity.Web.TokenCache and Microsoft.Identity.Web.Certificate. These packages are for ASP.NET Framework and .NET Core apps who want to use the token cache serializers and/or the certificate loader, but do not want all the dependencies brought by the full Microsoft.Identity.Web package. If you are on ASP.NET Core, continue to use Microsoft.Identity.Web. See issue #1431 for details.
Update to Microsoft.Graph 4.4.0, Microsoft.Graph.Beta 4.11.0-preview, and MSAL.NET 4.36.0.
Handle a SuggestedCacheExpiry
in the past. See issue #1419 for details.
Fix a NullReferenceException
when calling GetTokenForApp
from an anonymous controller. See issues #1372 and #1348 for details.
Update to IdentityModel 6.* and Microsoft.Graph 4.2.0 and Microsoft.Graph.Beta 4.7.0-preview.
The MsalDistributedTokenCacheAdapterOptions
now expose a boolean DisableL1Cache
, which will bypass the InMemory (L1) cache and only use the Distributed cache. See issue (#1388)[AzureAD#1388] for details.
When using ASP.NET Individual auth, Microsoft Identity Web provides an overload to define the DisplayName
of the Identity Provider. See issue #808 for details.
In .NET Framework, when recreating the CCA each time, the cache is not hit. Now the ServiceProvider for the InMemory or Distributed cache is not instantiated each time. See issue #1390 for details.
The NonceCookie and CorrelationCookie configurations are now hooked up correctly in Microsoft Identity Web. See issue #1262 for details.
Fix a transitive ArgumentException
when adding a preexisting key in the Temp Data. See PR #1382 for details.
Fix a KeyNotFoundException
when calling WithAppOnly()
. See issue #1365 and PR #1377 for details.
Remove context.Success()
in the web API so that further middleware processing can occur. See issue #929 for details.
Update to the latest version of MSAL .NET (4.35.1).
Use CreateAuthorizationHeader()
for GraphClientService requests, which enables support for other schemes, like PoP. See issue (#1355)[AzureAD#1355] for details.
Fix NullReferenceException when customer invokes OnTokenValidated
. Microsoft Identity Web now processes the custom OnTokenValidated
after setting the OBO token. See issue #1348 for details.
Add EnableCacheSynchronization
to merged options. See issue #1345.
Microsoft Identity Web now provides a token cache encryption strategy for the Distributed token cache. See issue #1044 for details.
Microsoft Identity Web now provides a DelegatingHandler which uses ITokenAcquisition
to get a token and inject it in the Authorization HTTP headers. See issue #1131 for details.
Update XML comment and link. See issues #1325 and #1322.
Update the backup authentication system routing implementation to remove technical debt. See issue #1303.
Use the SuggestedCacheKeyExpiry
provided in MSAL.NET 4.34.0 to optimize cache eviction in the app token cache. See issue #1304 for details.
Fix an issue with issuer validation with v1 tokens using /organizations
. See issues #1310 and #1290.
Deterministic builds are now enabled on Azure DevOps. See issue #1308.
Fix MergedOption
to merge the scopes. See issue #1296.
Microsoft Identity Web now provides a more simplified developer experience with the MSAL.NET token cache, available for ASP.NET, .NET Core, or .NET Framework. See issue #1277 for details.
Microsoft Identity Web supports, out of the box, the AAD backup authentication system which operates as an AAD backup, by sending a routing hint to the /authorize and /token endpoints. See issue #1146 for details.
Fix isue regarding specifying multiple decryption certificates. See issue #1243 for details.
Fixes a regression that was introduced with the multi-scheme work where the LegacyCacheCompatibilityEnabled
value was taken from the ConfidentialClientApplicationOptions
(default true), instead of the MicrosoftIdentityOptions
(default false). See issue #1268 for details.
Microsoft Identity Web now supports the CancellationToken, in the Distributed and Session cache adapters and in the TokenAcquisitionOptions
for the calls to MSAL.NET. See issue #1239 for details.
The order of the LogLevel in TokenAcquisition did not correctly honor the nested log settings. See issue #1250 for details.
Fix a bug with certificate rotation and not pass a null certificate value to Microsoft.IdentityModel. See issue #1243 for details.
When using EasyAuth, fix case insensitivity when specifying the default provider. See issue #1163 for details.
EasyAuth took a breaking change by not adding the logout path environment variable, the logout error with EasyAuth v2 is fixed. See issue #1234 for details.
Microsoft Identity Web now uses the /.well-known/openid-configuration
endpoint to determine the issuer values. Now the different clouds work as well. See issue #1167 for details.
A lock in the response stream caused an exception when copying the content to a stream. See issue #1153 for details.
Fix issue with RequiredScope
attribute on the Controller when used with RequiredScopesConfigurationKey
. See issues #1223, #1197, and #1036.
Fix response_type
in MergedOptions
. Regression from 1.10 version. See #1215 for details.
Fix RoleClaimType
when set as part of the MicrosoftIdentityOptions
. Regression from 1.10 version. See #1218 for details.
Microsoft Identity Web UI now displays a better error message when run in a Production environment to assist with debugging. See issue #1213 for details.
Microsoft Identity Web UI now honors a local redirect URI after sign-in. This is if you want to redirect the user to a specific page within the add. See issue #760 for details.
Fix public API spelling of CertificateDescription.FromStoreWithThumbprint
. See issue #791 for details.
Microsoft Identity Web now supports multiple authentication schemes. This means, you can have several authentication schemes in the same ASP.NET Core app. Such as two Azure AD web apps, or an Azure AD app and an Azure AD B2C app, or a web app and a web API. Basically mixing authentication schemes in the same ASP.NET Core app. See the wiki for details and code samples and related issues: #549, #429, #958, #1126, #971, #173, #955, and #1127.
Microsoft Identity Web provides more logging regarding the time spent in the MSAL.NET cache. See logging for information on setting up the logs, and use debug or trace to access the cache specific MSAL.NET logs.
Microsoft Identity Web now supports certificate rotation with the Azure KeyVault. See issue #956 for details.
Microsoft Identity Web now includes the Proof Key for Code Exchange (PKCE) on the Authorization Code Grant to minimize authorization code interception attacks. See issue #470 for details.
Revert fix for breaking change introduced in Microsoft.IdentityModel. version="6.9"*, which was fixed in v.6.10. See issue #1140 for details.
Standardize the value for "Domain"
in appsettings.json
of the templates. See issue #1148 for details.
Enable workaround to fix regression in App Services authentication due to case sensitivity. See issue #1163 for details.
Microsoft.IdentityModel. version="6.9" introduced a breaking change in the mapping of the User.Identity.Name claim*. Microsoft.Identity.Web 1.9, started leveraging Microsoft.IdentityModel 6.10 to improve resiliency. With this breaking change Microsoft Identity Web 1.9.1 has a temporary workaround in place until a new Microsoft.IdentityModel version is released with a fix. See issues #1136 and #1140 for details.
Fix obsolete attribute and error message on ReplyForbiddenWithWwwAuthenticateHeaderAsync
. See issue #1137 for details.
Fix Stackoverflow tags in ReadMe. See issue #1128.
Microsoft Identity Web now exposes a token provider that the Azure SDKs can use. See PR for details.
Microsoft Identity Web now supports .NET Framework 4.6.2. See issue #1086.
Microsoft Identity Web supports calls for regional STS for 1st party only, this is due to MSAL.NET release 4.29, and AzureRegion
is available via the ConfidentialClientApplicationOptions
.
Microsoft Identity Web now locks on the HttpContext, to better handle multi-threaded applications. See issue #1097 and PR and PR.
Microsoft Identity Web now implements LoggerMessage
for high performance logging. See issue #1105 for details.
Performance improvements. See PRs #1089, #1098, #1092, and #1085.
Documentation updated to show how to use ClientCapabilities
. See issue #1071 and also the wiki.
Clear documentation on what is available in Microsoft Identity Web and when to use MSAL.NET, Microsoft Identity Web, or both. See issue #1057 and Is MSAL.NET right for me?.
Update to latest version of MSAL.NET 4.28.1.
With the L1/L2 cache updates in 1.8.0, if a cache item is found in the L1 cache, the L2 cache needs to be refreshed. See issue #1061 for details.
Microsoft Identity Web now provides a more sophisticated and performant L1/L2 (In Memory and Distributed) token cache. See issue #957 for details.
Related to the L1/L2 cache improvements, developers can determine how to proceed when the L2 (Distributed) cache fails, ex. the L2 cache is off-line. See issue #1042 for details.
Related to the L1/L2 cache improvements, the MemoryCacheOptions
are now exposed in the MsalDistributedTokenCacheAdapterOptions
so developers can have control over the L1 (In Memory) cache, such as cache size. See issue #1048 for details.
Microsoft Identity Web supports user assigned managed identity for certificate loading. See issue #1007 for details.
msidentity-app-sync is a command line tool that creates Microsoft identity platform applications in a tenant (AAD or B2C) and updates the configuration code of your ASP.NET Core applications (mvc, webapp, blazorwasm, blazorwasm hosted, blazorserver). The tool can also be used to update code from an existing AAD/AAD B2C application. See https://aka.ms/msidentity-app-sync for details and additional information on the experience in Visual Studio 16.9. Get the tool via the NuGet package. See issue #954, and 977.
Microsoft Identity Web now disables the ADAL cache lookup by default when calling into MSAL .NET. If you have ADAL apps which share a cache with MSAL apps, you would want to set LegacyCacheCompatibilityEnabled = true
in appsettings.json
. Otherwise, there is a performance improvement when bypassing the ADAL cache lookup. See issue #961 for details.
It's now possible to specify the X509KeyStorageFlags in the certificate description (both in the config file, or programmatically). This way if you want to use other storage flags than the default, it is possible.
Remove obsolete attribute from ValidateUserScopesAndAppRoles
. See issue #963 and #995 for details.
See blog post for details.
Microsoft Identity Web templates now include a project template for Azure Functions. See issue #899 for details.
gRPC templates now include calling graph and downstream APIs. See issue #900 for details.
Microsoft Identity Web now exposes an AuthorizationFilter attribute to express accepted scopes on controllers, actions, or pages. See issue #849 for details.
When using the delegate override of .EnableTokenAcquisitionToCallDownstreamApi
, you don't need to repeat the properties present in the Microsoft Identity Options ex. Instance, TenantId, ClientId, etc.... See issue #742 for details.
Microsoft Identity Web now exposes the DefaultCertificateLoader
, which would be used when loading a certificate from a daemon application, or an ASP NET application, using MSAL .NET directly. See issue #952 for details.
Microsoft Identity Web now supports token decryption certificates rotation. See issue #905 for details.
Microsoft Identity Web now allows the AuthorizeForScopeAttribute to specify an alternate AuthenticationScheme. See issue #870 for details.
Update to the latest version of MSAL .NET (4.25), Microsoft Graph (3.22) and Microsoft Graph Beta (0.36.0-preview).
Microsoft Identity Web templates now include a project template for gRPC. See issue #628 for details.
Microsoft Identity Web now helps writing Azure Functions protected with Azure AD or Azure AD B2C. See issue #878.
The Microsoft Identity Web B2C templates now use the recommended .b2clogin.com
instead of login.microsoftonline.com
by default. See issue #792 for details.
In a Blazor server application, when the client app requests consent for the web API, the call would result in an infinite loop. The consent screen is now correctly displayed. See issue #847 for details.
Microsoft Identity Web now leverages the logs available in MSAL .NET. See the wiki for information on setting up the logs and how to enable Pii. See issue #821 for details.
Starting in MSAL .NET 4.24, the .WithForceRefresh()
parameter is passed to the on-behalf-of call. Microsoft Identity Web now incudes it in the on-behalf-of call. It is false by default, as part of the TokenAcquisitionOptions
. See issue #811 for details.
Microsoft Identity Web now exposes the generic consent handler in Razor pages and MVC controllers in addition to Blazor pages (by registering it on a IServiceCollection
). See issue #805 for details.
Microsoft Identity Web was validating the issuer even when ValidateIssuer
was set to false. This is now fixed. See issue #797 for details.
Microsoft Identity Web now uses the redirect URI if you provide it as part of the ConfidentialClientApplicationOptions
. See issue #784 for details.
Microsoft Identity Web provides a better experience for app developers who use the legacy login.microsoftonline.com/tfp/
authority for B2C applications. See issue #143 for details.
A tenanted authority must be used in the acquire token for app scenario. If common
or organizations
is used, Microsoft Identity Web will throw an actionable exception. See issue #793 for details.
The wrong constant values were used for LoginHint and DomainHint. See issue 798 and PR for details.
Microsoft Identity Web now supports individual auth with AAD external providers. To enable this, you can now specify a null cookie scheme in AddMicrosoftIdentityWebApp
. See issue #133 and issue #809.
Microsoft Identity Web now exposes token cache adapters for Memory and IDistributedCache for .NET 4.7.2, so ASP .NET MVC developers can leverage the serializers. See issue #741 for details.
Microsoft Identity Web now guards against an authority ending with //
. See issue #747 for details.
During AJAX calls, Microsoft Identity Web ensures the redirect URI is a local redirect URI. See issue #746.
KeyVault flags are now included in the private key path for certificate fetching. See issue #762 for details.
Microsoft Identity Web now supports App Services Authentication with Azure AD. See https://aka.ms/ms-id-web/AppServicesAuth and issue #8 for details.
Microsoft Identity Web now enables the usage of the GraphServiceClient
to call the Graph APIs with app only permissions. See https://aka.ms/ms-id-web/microsoftGraph and issue #654 for details.
Microsoft Identity Web now supports a variety of generic extension methods for use with the downstream web API calls. See issue #537 for details.
To better support Conditional Access scenarios, TokenAcquisitionOptions
now have a Claims
property. See issue #677 for details.
Using AJAX to make calls to a .NET Core application is now possible with Microsoft Identity Web. See issues #642 and #603.
In order to enable web APIs called by daemon applications to handle tokens without a roles claim, Microsoft Identity Web now exposes a boolean property in MicrosoftIdentityOptions
. See issue #707 for details.
The Microsoft.Identity.Web.UI DLL now includes strong name validation. See issue #682.
The AadIssuerValidator
class no longer has a static ConfigurationManager
, and is instead an injectable singleton. See issue #402 for details.
Microsoft Identity Web would try to add to the authorization header, at times, resulting in a format exception. Now the existing header is removed and replaced with the current one. See issue #673 for details.
In order to enable developers to use a backchannel proxy, Microsoft Identity Web now enables developers to configure the IHttpClientFactory
to include a name option which will be passed to CreateClient
via the AadIssuerValidatorOptions
. See https://aka.ms/ms-id-web/proxy and issue #551 for more details.
When using the InMemory token cache, Microsoft Identity Web enabled developers to MemoryCacheOption
, this can improve performance. See issue #639.
The .Clone()
in TokenValidationParameters has been removed as it is not needed. See issue #635 for details.
The RequestContent
parameter in DownstreamWebApi is now being used as the HttpRequestMessage.Content
if available.See issue #618.
Microsoft Identity Web now checks for the tenantId long-claim in AadIssuerValidator.GetTenantIdFromToken. See issue #617 for details.
In the blazorwasm-hosted templates, the Call Graph and Call Downstream Web Api options are now surfaced as separate pages and separate entries in the vertical menu. See issue 509.
In MicrosoftIdentityConsentAndConditionalAccessHandler.HandleException
, the redirect uri could be malformed, containing an extra /
. This has been fixed. See issue #626 for details.
Microsoft Identity Web has completed initial performance and load testing. See wiki article and issue #88 for details.
Microsoft Identity Web dependencies are updated to the latest respective versions. Also the blazorwasm template dependencies have been updated as well. See issues #641 and #631 for details.
Some constant values used in Microsoft Identity Web are available as public constants. See feature request #548 for details.
Microsoft Identity Web now sends basic telemetry data (sku and version) to AAD and AAD B2C. See issue #327 for details.
Implement TokenAcquisitionOptions
which enable developers to customize the token aquisition integration with MSAL .NET. Current options available are extra query parameters, force refresh, and correlation id. See issues #561, #494, and #532.
Microsoft Identity Web now uses a scoped service for TokenAcquisitionServices when calling Microsoft Graph. Previously a Singleton was used and this caused an infinite loop in Blazor ser_ver applications, as Blazor requires scoped services. See issues #573 and #531 for details.
Now developers can specify the client secret in the web API scenario either in Microsoft Identity Options or in the Confidential Client Application Options, previously it had to be set in both. See issue #536 for details.
Web apps calling web APIs no longer require a response_type
of id_token
, so it no longer needs to be checked in the AAD portal app registration. See issue #589.
Remove obsolete attributes for the 1.0.0 (GA) version. See issue #584 for details.
ITokenAcquisition
now exposes the AuthenticationResult
for the user from MSAL. See issue #543 for details.
Now, to use Microsoft GraphServiceClient, you need to reference Microsoft.Identity.Web.MicrosoftGraph or Microsoft.Identity.Web.MicrosoftGraphBeta. See issue #506 for details.
CallWebApiForUserAsync
handles a successful response better. See issue #503 for details.
Microsoft Identity Web can now handle two schemes in web APIs. See issues #429, #468, and #474 for details.
Add integration test coverage for web app and web API scenarios. Issues #97, #95, and #102.
In B2C web app scenarios, only signing-in users, the password reset and edit profile redirects were not working. Microsoft Identity Web now only sends the response_type
of only idToken
when in the web app scenario. See issue on password reset and edit profile for details.
See https://aka.ms/ms-id-web/0.3.0-preview for more specific details.
Before | After |
---|---|
services.AddMicrosoftWebAppAuthentication() | services.AddMicrosoftIdentityWebAppAuthentication() |
services.AddAuthentication().AddMicrosoftWebApp() | services.AddAuthentication().AddMicrosoftIdentityWebApp() |
services.AddMicrosoftWebApiAuthentication() | services.AddMicrosoftIdentityWebApiAuthentication() |
services.AddAuthentication().AddMicrosoftWebApi() | services.AddAuthentication().AddMicrosoftIdentityWebApi() |
services.AddAuthentication().AddMicrosoftWebApp().AddMicrosoftWebAppCallsWebApi() | services.AddAuthentication().AddMicrosoftIdentityWebApp().EnableTokenAcquisitionToCallDownstreamApi() |
services.AddAuthentication().AddMicrosoftWebApi().AddMicrosoftWebApiCallsWebApi() | services.AddAuthentication().AddMicrosoftIdentityWebApi().EnableTokenAcquisitionToCallDownstreamApi() |
services.AddInMemoryTokenCaches() | .EnableTokenAcquisitionToCallDownstreamApi().AddInMemoryTokenCaches() |
services.AddDistributedTokenCaches() | .EnableTokenAcquisitionToCallDownstreamApi().AddDistributedTokenCaches() |
services.AddSessionTokenCaches() | .EnableTokenAcquisitionToCallDownstreamApi().AddSessionTokenCaches() |
services.AddMicrosoftGraph() | .EnableTokenAcquisitionToCallDownstreamApi().AddMicrosoftGraph() |
services.AddDownstreamApiService() | .EnableTokenAcquisitionToCallDownstreamApi().AddDownstreamApi() |
See issue #378 and the wiki for more information on the new API.
AddInMemoryTokenCaches
method now accepts an optional MsalMemoryTokenCacheOptions
delegate parameter. See issue for details: #426.
GetAccessTokenForAppAsync
method now accepts an optional tenant
parameter, which allows applications authorized in multiple tenants to request tokens. See issue for details: #413.
Microsoft Identity Web now provides methods that simplify calling Microsoft Graph and any downstream APIs. See wiki and issues for details: #403, #427.
Project templates, samples, and dev apps were updated to use the new public API. See issues for details: #453, #418.
Previously domain hint was added to the request only if the login hint was present also. The presence of domain and login hints is now validated separately. See issue for details: #415.
Fixed a NullReferenceException
on NavigationManager
that occurred on Blazor server with Azure SignalR when using a pre-rendering mode. See issue for details: #437.
ReplyForbiddenWithWwwAuthenticateHeaderAsync
method in ITokenAcquisition
now has an additional optional HttpResponse
parameter, which can be provided in cases when the current HttpContext
is null. See issue for details: #414.
Enable Micorosoft.Identity.Web to work with any version of .NET 5.0 by setting dependencies version to 5.0.0-*
for JwtBearer
and OpenIdConnect
dependencies**. See issue for details: #380.
The AadIssuerValidator
class is now public. See issue for details: #332.
Starting in 0.2.1-preview, a MicrosoftIdentityWebChallengeUserException
was added, but customers might use the MsalUiRequiredException
, for instance by the Graph SDK. See issue for details: #398.
In a multi-tenant scenario, when calling a downstream API, Microsoft Identity Web was not returning the token for the specific tenant ID. The correct token based on the tenant, if specified, is returned. See issues for details: #344 and MSAL .NET.
When the scopes provided are invalid, an exception will be thrown in addition to recording a response back to the controller. This ensures the controller does not continue processing as authentication is not possible. See issue for details: #389.
When calling a downstream web API, Microsoft Identity Web now checks the token from the HttpContext instead of doing an acquire token silent call. This will save on cycles as MSAL .NET already does the necessary cache look up. See issue for details: #381.
When validating the application roles, only the first role claim was used, which would result in a failure with multiple roles. Microsoft Identity Web now uses all the roles and throws an exception if the roles are invalid. See issue for details: #374.
A more descriptive exception is thrown when a B2C issuer claim contains tfp
. See wiki and issue for details: #274.
Microsoft Identity Web now supports the ComponentsWebAssembly-CSharp project templates from ASP.NET Core. See issue for details: #320.
Microsoft Identity Web now supports the BlazorServerWeb-CSharp project templates from ASP .NET Core. See issue for details: #319.
When using Azure AD B2C, developers can now specify which policy/user flow to use to acquire the token. Microsoft Identity Web now exposes a user flow parameter, which allows developers to specify the policy/user flow to use with looking for tokens in the cache. See issue for details: #27.
Fixes NullReferenceException
when acquiring a user token because of a null HttpContext
. This applies to scenarios like server-side Blazor apps, long-running processes, daemon apps. See issues for details: #157, #10, #38.
When encountering a challenge from a Blazor page, Microsoft Identity Web could not handle the challenge in the same way it does for an MVC or Razor page. The challenge from a Blazor page is now handled corrected. See issue for details: #360.
When acquiring a token for a user in a server side Blazor app, a null reference exception was encountered because the CurrentHttpContext
was null. Microsoft Identity Web now uses a Blazor specific class AuthenticationStateProvider
to determine the current user. See issue for details: #157.
In the templates, CallWebApi
is an async method and now named accordingly, CallWebApiAsync
. See issue for details: #357.
Microsoft Identity Web now creates a HttpRequestMessage
to append the authorization header with the bearer token. See issue for details: 350.
In the case of no authentication, the templates no longer support the usage of --call-graph
and --call-webapi-url
. See issue for details: 337.
Now that Microsoft Identity Web can specify the AAD B2C tokens by user flow, the correct method, GetAccountAsync()
can be called for confidential clients. See issue for details: #295.
Microsoft Identity Web has error and log messages as constants. See issue for details: #261.
Before | After |
---|---|
services.AddSignIn() | services.AddMicrosoftWebAppAuthentication() |
services.AddSignIn() | services.AddAuthentication().AddMicrosoftWebApp() |
services.AddProtectedWebApi() | services.AddMicrosoftWebApiAuthentication() |
services.AddProtectedWebApi() | services.AddAuthentication().AddMicrosoftWebApi() |
.AddWebAppCallsProtectedWebApi() | .AddMicrosoftWebAppCallsWebApi() |
.AddProtectedWebApiCallsWebApi() | .AddMicrosoftWebApiCallsWebApi() |
- See the wiki for migration assistance and more information on the new API.
- Rename
MsalMemoryTokenCacheOptions.SlidingExpiration
to align with ASP.NET Core and useAbsoluteExpirationRelativeToNow
. See issue for details. - Removed the
ForceHttpsRedirectUris
,RedirectUri
, andPostLogoutRedirectUri
options fromMicrosoftIdentityOptions
. ASP.NET Core recommends the following guidance on working with proxies. See issue for more details. - Removed the
SingletonTokenAcquisition
property fromMicrosoftIdentityOptions
. See issue for details. - Microsoft Identity Web now has an
MsalDistributedTokenCacheAdapterOptions
class inheriting fromDistributedCacheEntryOptions
so the token cache serialization can expose their own options. See issue for details.
Microsoft Identity Web implements the C# 8.0 nullable standard. See issue for details.
Microsoft Identity Web now validates the app roles for a web API, for example a web API called by a daemon application. See issue for details.
Microsoft Identity Web now supports .NET 5.0, in addition to .NET Core 3.1. See issue for details.
The project templates now have an option to generate the call to a downstream web API, or a call to Microsoft Graph. See issue for details.
Microsoft Identity Web now has the ability to specify custom cookie options in the AddMicrosoftWebApp
methods. See issue for details.
When accessing KeyVault, storage flags need to be used, as there is no user profile. The correct storage flags are now used. See issue for details.
Uses the recommended workaround for the clients incompatible with the SameSite=None
cookie attribute. See issue for details.
Fixed a dependency injection anti-pattern when resolving ITokenAcquisition
. See issue for details.
The TokenValidationParameters
are now cloned before using. See issue for details.
Microsoft Identity Web now throws a SecurityTokenValidationException
, when there is an invalid audience. See issue for details.
Microsoft Identity Web no longer throws an exception if the user sets the custom audiences. See issue for details.
Removed multiple calls to HandleCodeRedemption
in TokenAcquisition
. See issue for details.
Fixes to the MsalSessionTokenCacheProvider
, such as removing the static lock object and removing the session commit. See issue for details.
In the AccountController
, Microsoft Identity Web now uses IOptions
instead of IOptionsMonitor
, for consistency. See issue for details.
Microsoft Identity Web no longer calls the BuildServiceProvider
in the configuration methods and uses a more appropriate Configure
overload that provides the required IServiceProvider
instance. See issue for details.
Microsoft Identity Web now uses the SuggestedCacheKey
returned in the TokenCacheNotificationArgs
from MSAL to determine the correct cache key. This enables the removal of several lines of code and the use of the HttpContext.User
. See issue 235, 248, 273, and 222 for details.
Microsoft Identity Web now retrieves the client_info
data directly from the protocol message. See issue for more details.
Microsoft Identity Web supports certificates. The developer can now use client and token decryption certificates, which can be retrieved from a variety of sources, like Azure Key Vault, certificate store, a Base54 encoded string, and more. The location of the certificate can be specified in a configuration file or programmatically. See issue and wiki for more details.
Microsoft Identity Web now allows specifying if the x5c claim (the public key of the certificate) should be sent to the STS. Sending the x5c enables easy certificate rollover. To enable this behavior set the SendX5C
property in the configuration file. See issue for more details.
Microsoft Identity Web provides an option to force redirect URIs to use the HTTPS scheme, which can be useful in certain scenarios, like app deployment in a container. To enable this behavior set ForceHttpsRedirectUris
property in the configuration file. See issue for more details.
Microsoft Identity Web uses System.Text.Json
namespace instead of Newtonsoft.Json
for working with JSON. See issue for more details.
The documentation now correctly specifies that ClaimsPrincipalExtensions.GetNameIdentifierId
returns a uid
claim value. See issue for more details.
New Features: Microsoft Identity Web provides an option to specify if the token acquisition service should be a singleton. See issue for more details.
Bug Fixes:
When logging in with an unauthorized account, the user was redirected to /Account/AccessDenied
which did not exist. Microsoft Identity Web UI now properly sets the path on the scheme with the same name. See issue for more details.
In the context of a guest account, Microsoft Identity Web used the loginHint
to determine the guest account for accessing the MSAL .NET cache. Now, Microsoft Identity Web retrieves user_info
from the authorization server and is able to determine the unique object identifier for guest accounts. See issue for more details.
New Features:
Microsoft Identity Web now allows developers to not pass any scope value in AddWebAppCallsProtectedWebApi
. See issue for more details.
When working with containers or reverse proxies, being able to specify the redirectUri and postLogoutRedirectUri is important. Microsoft Identity Web now allows the setting of the RedirectUri and PostLogoutRedirectUri as part of the MicrosoftIdentityOptions
. See Issue for more details.
Bug Fixes: The AddProtectedWebApiCallsProtectedWebApi method registers an event handler for OnTokenValidated without preserving any existing registered event handlers. Now events are chained correctly. See issue for details.
Depending on the endpoint, v1.0 or v2.0, and if the application is B2C or not, the default format of the aud
value in the token will be different. Microsoft Identity Web now looks at these parameters to validate the audience.
New Features: Microsoft Identity Web now uses an IHttpClientFactory to implement resilient HTTP requests. The ASP.NET Core IHttpClientFactory manages the pooling and lifetime of the underlying HttpClientMessageHandler instances, which avoids port exhaustion and common DNS problems that occur when manually managing HttpClient lifetimes. More details on this feature here.
Bug Fixes: Performance improvement: AadIssuerValidator class now caches the authority aliases under the correct cache key. See issue for more details.
When not including the ClientSecret in appsettings.json, a null reference exception was thrown when acquiring the authorization code with MSAL.NET. Microsoft Identity Web now checks all the required options and responds with actionable error messages if any are missing. See issue for more details.
New Features: Microsoft Identity Web now surfaces the ClaimConstants class. This allows developers to build a unique ClaimsPrincipal. See issue for more details
Bug Fixes:
AddSignIn()
now provides a more robust processing of authorities accepting them to end in /
or not. See issue for more details
Setting the ValidAudiences
in AddProtectedWebApi()
now accepts any custom audience (any string). See issue for more details
This is the first preview NuGet package for Microsoft Identity Web.