Skip to content

nuget-azure-ad-b2c-backend: Bump Microsoft.Identity.Web from 4.2.0 to 4.9.0#5358

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/samples/AzureADB2CAuth/auth-backend/Microsoft.Identity.Web-4.9.0
Closed

nuget-azure-ad-b2c-backend: Bump Microsoft.Identity.Web from 4.2.0 to 4.9.0#5358
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/nuget/samples/AzureADB2CAuth/auth-backend/Microsoft.Identity.Web-4.9.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 4, 2026

Copy link
Copy Markdown
Contributor

Updated Microsoft.Identity.Web from 4.2.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

  • Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

  • Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

  • DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

  • Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
  • Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
  • Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
  • Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

4.4.0-preview.1

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

4.3.0

New features

  • Added token binding (mTLS PoP) scenario for confidential client (app-only) token acquisition and downstream API calls. See #​3622.

Dependencies updates

  • Bumped qs from 6.14.0 to 6.14.1 in /tests/DevApps/SidecarAdapter/typescript. See #​3660.

Documentation

  • Modernized Identity Web documentation, which is now can be found in docs. See #​3566.
  • Added token binding (mTLS PoP) documentation. See #​3661.

Commits viewable in compare view.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
nuget-azure-ad-b2c-backend: Bump Microsoft.Identity.Web from 4.2.0 to…
405465f 
… 4.9.0

---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file nuget NuGetパッケージの更新 target: Azure AD B2C Auth Azure AD B2C認証の要件別サンプルに関係がある labels May 4, 2026
@dependabot dependabot Bot mentioned this pull request May 4, 2026
Closed
@dependabot @github

dependabot Bot commented on behalf of github May 4, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #5363.

@dependabot dependabot Bot closed this May 4, 2026
@dependabot dependabot Bot deleted the dependabot/nuget/samples/AzureADB2CAuth/auth-backend/Microsoft.Identity.Web-4.9.0 branch May 4, 2026 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file nuget NuGetパッケージの更新 target: Azure AD B2C Auth Azure AD B2C認証の要件別サンプルに関係がある

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants