nuget-external-id-backend: Bump Microsoft.Identity.Web from 4.6.0 to 4.9.0

[dependabot]

Updated Microsoft.Identity.Web from 4.6.0 to 4.9.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: AzureAD/microsoft-identity-web@4.8.0...4.9.0

4.8.0

What's Changed

• Bump flatted from 3.3.3 to 3.4.2 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump flatted from 3.3.3 to 3.4.2 in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3753
• Update changelog.md for ID.Web 4.6.0 by @​bgavrilMS in Update changelog.md for ID.Web 4.6.0 AzureAD/microsoft-identity-web#3756
• Add token binding to MicrosoftIdentityMessageHandler by @​cpp11nullptr in Add token binding to MicrosoftIdentityMessageHandler AzureAD/microsoft-identity-web#3743
• Bump picomatch in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump picomatch in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3759
• Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments by @​Copilot in Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments AzureAD/microsoft-identity-web#3585
• Bump path-to-regexp from 8.3.0 to 8.4.0 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump path-to-regexp from 8.3.0 to 8.4.0 in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3762
• Upgrade Microsoft Application Insights packages by @​RojaEnnam in Upgrade Microsoft Application Insights packages AzureAD/microsoft-identity-web#3763
• Use Abstractions 12 by @​pmaytak in Use Abstractions 12 AzureAD/microsoft-identity-web#3761
• Post-4.7.0 by @​pmaytak in Post-4.7.0 AzureAD/microsoft-identity-web#3768
• Fix Comp Gov DOTNET-Security-10.0 by @​reginayap8 in Fix Comp Gov DOTNET-Security-10.0 AzureAD/microsoft-identity-web#3769
• Upgrade CodeQL to V4: Fix 10 CodeQL Analysis Warnings and Errors by @​reginayap8 in Upgrade CodeQL to V4: Fix 10 CodeQL Analysis Warnings and Errors AzureAD/microsoft-identity-web#3770
• fix warnings by @​gladjohn in fix warnings AzureAD/microsoft-identity-web#3771
• adding examples for using postgres as a distributed cache by @​JaredMSFT in adding examples for using postgres as a distributed cache AzureAD/microsoft-identity-web#3766
• Suppress AOT configuration-binding SYSLIB warnings in AotCompatibility test app by @​Copilot in Suppress AOT configuration-binding SYSLIB warnings in AotCompatibility test app AzureAD/microsoft-identity-web#3774
• Bump vite from 7.1.11 to 7.3.2 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in Bump vite from 7.1.11 to 7.3.2 in /tests/DevApps/SidecarAdapter/typescript AzureAD/microsoft-identity-web#3772
• Skip legacy B2C local-account Todo UI test in WebAppUiTests by @​Copilot in Skip legacy B2C local-account Todo UI test in WebAppUiTests AzureAD/microsoft-identity-web#3778
• Fix initialization of ConfidentialClientApplicationOptions in MergedOptions by @​cpp11nullptr in Fix initialization of ConfidentialClientApplicationOptions in MergedOptions AzureAD/microsoft-identity-web#3760
• Bump net8/net9/net10 runtime package baselines to patched crypto servicing versions by @​Copilot in Bump net8/net9/net10 runtime package baselines to patched crypto servicing versions AzureAD/microsoft-identity-web#3779
• Fix flaky certificate test failures on CI by @​gladjohn in Fix flaky certificate test failures on CI AzureAD/microsoft-identity-web#3780
• MTLS Without Tokens Support by @​tlupes in MTLS Without Tokens Support - DownstreamApi AzureAD/microsoft-identity-web#3747
• Fix CredentialsProvider DI lifetime mismatch causing startup crash in Development by @​Avery-Dunn in Fix CredentialsProvider DI lifetime mismatch causing startup crash in Development AzureAD/microsoft-identity-web#3783
• Remove unused DataProtection configuration from Sidecar by @​Copilot in Remove unused DataProtection configuration from Sidecar AzureAD/microsoft-identity-web#3776

New Contributors

• @​RojaEnnam made their first contribution in Upgrade Microsoft Application Insights packages AzureAD/microsoft-identity-web#3763
• @​reginayap8 made their first contribution in Fix Comp Gov DOTNET-Security-10.0 AzureAD/microsoft-identity-web#3769
• @​JaredMSFT made their first contribution in adding examples for using postgres as a distributed cache AzureAD/microsoft-identity-web#3766

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

• Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

Commits viewable in compare view.

[fkoyama]

@dependabot rebase