Releases: AzureAD/microsoft-authentication-library-for-dotnet
Releases · AzureAD/microsoft-authentication-library-for-dotnet
4.85.2
What's Changed
- Delegate IMDSv2 mTLS-PoP token leg to internal TokenClient exchange (MSIv2 WithClaimsFromClient) by @Robbie-Microsoft in #6070
- Enforce mTLS PoP minimum binding strength for Managed Identity (#6049 Phase 2) by @Robbie-Microsoft in #6059
- Add refresh token cache partitioning support by @iNinja in #6077
- Detach ImdsV2ManagedIdentitySource from AbstractManagedIdentity (refused-bequest cleanup) by @Robbie-Microsoft in #6089
Full Changelog: 4.85.1...4.85.2
Contributors
iNinja and Robbie-Microsoft
Assets 2
4.85.1
What's Changed
- Migrate OBO tests from old lab to ID4SLAB1 by @RyAuld in #6021
- Mark regional SNI mTLS PoP test inconclusive on AAD test-slice Bearer downgrade by @neha-bhargava in #6084
- Expose canonical tag names per-metric by @ssmelov in #6076
Full Changelog: 4.85.0...4.85.1
Contributors
ssmelov, neha-bhargava, and RyAuld
Assets 2
4.85.0
What's Changed
- Fix proactive token refresh bypassing cancellation, leading to unbounded semaphore wait by @jayesh-a-shah in #6054
- Add GovFr, GovDe, GovSg to AzureCloudInstance enum by @bgavrilMS in #6023
- Take home account from request, if not available elsewhere. by @yowl in #5657
- Validate Azure region format to prevent region poisoning (fixes #6060) by @Robbie-Microsoft in #6061
- Promote MsalServiceException.SubError to public by @neha-bhargava in #6063
- Migrate region discovery to IMDS /compute JSON endpoint (#6039) by @Robbie-Microsoft in #6057
- fix: Service Fabric MI sends principalId for ObjectId; reject ClientId/ResourceId (mirror of #6066) by @neha-bhargava in #6069
- Exclude caller SDK telemetry from access token cache keys by @bgavrilMS in #6074
- Add MSAL.NET telemetry enrichment by @ssmelov in #6071
New Contributors
- @jayesh-a-shah made their first contribution in #6054
- @yowl made their first contribution in #5657
Full Changelog: 4.84.2...4.85.0
Contributors
ssmelov, yowl, and 4 other contributors
Assets 2
4.84.2
New Features
- Added
ManagedIdentityApplication.GetManagedIdentityCapabilitiesAsync(CancellationToken)returning aManagedIdentityCapabilitiesobject that reports the detected managed identitySource, the host'sMaxSupportedBindingStrength(newMtlsBindingStrengthenum:None,Software,KeyGuard), and a derivedIsMtlsPopSupportedByHost. ReplacesGetManagedIdentitySourceAsync()/ManagedIdentitySourceResult. The publicManagedIdentitySource.ImdsV2value is folded intoImds(v1/v2 routing remains internal). #6049 - Added OID-based user identification to the User Federated Identity Credential (
user_fic) flow viaAcquireTokenByUserFederatedIdentityCredential(scopes, Guid userObjectId, assertion). #6050 - Added
WithClaimsFromClient(claimsJson)to forward client-originated claims across managed identity and confidential client flows. #5999 - Added mTLS PoP support for
WithCertificate(() => x509)(dynamic certificate credential). #5957 - Added opt-in token-acquisition metrics covering both successful and failed attempts. #6004
Changes
- Extended mTLS bearer transport (
CertificateOptions.SendCertificateOverMtls) to the OBO, refresh-token, and authorization-code flows. #6009 - General Availability of the
Microsoft.Identity.Client.KeyAttestationpackage. #6038 - Managed identity now probes IMDSv2 first and the preview latch was removed. #6041
- Updated NativeInterop baseline and corrected devapp version ranges. #6045
- Simplified
GetTenantedAuthorityinCiamAuthorityandDstsAuthority. #6001
Bug Fixes
4.84.1
What's Changed
New Features
- Added WithReservedScopes and WithCachePartitionKey public API extensions in #6014
- Added IAuthenticationOperation3 interface for CDT + mTLS PoP composition in #5996
- Added MsalRemainingTokenLifetime histogram metric for token expiry tracking in #5920
Changes
- Removed [Obsolete] attribute from WithExtraBodyParameters extension method in #6006
- Replaced ConcurrentHashSet with ConcurrentDictionary<T, byte> in #5975
Bug Fixes
- Fixed WithTenantId not honoring MSA tenant GUID when specified at request level in #5958
- Fixed OBO cache returning multiple_matching_tokens_detected when attributed tokens share a partition in #5993
Full Changelog: 6ff7075...main (6ff7075...main)
4.84.0
What's Changed
New Features
- Remove embedded Newtonsoft.Json, migrate to System.Text.Json exclusively in #5959
- Expose refresh token via extension and add CacheOptions.DisableInternalCache in #5947
- Added support for WithAttributeTokens in #5888
- Feature: mTLS Bearer via CertificateOptions.SendCertificateOverMtls in #5849
- Remove experimental feature gate from WithClientAssertion(ClientSignedAssertion) overload in #5945
- Support forwarding MSAL client metadata headers through IMDS to ESTS in #5912
- Add CorrelationId to AssertionRequestOptions for FIC in #5937
- Add raw STS error code to MsalFailure metric in #5961
Bug Fixes
- Fix: make System.ValueTuple conditional on net462 only in #5906
- Fix eager evaluation in ConcurrentDictionary.GetOrAdd calls in #5950
- Validate clientSignedAssertionProvider delegate is non-null in WithClientAssertion in #5956
- Improve MtlsPopTokenNotSupportedInImdsV1 error message clarity in #5908
- Added more checks for issuer validation in #5931
Improvements
- Remove region as hard requirement for mTLS PoP flows in #5902
- Add in-process MAA token caching to PopKeyAttestor in #5887
- Refactor client credential material resolution in #5835
Dependencies Updates
- Bump OpenTelemetry version in #5960
Full Changelog: 4.83.3...cb59f84 (4.83.3...cb59f84)
4.83.3
New Features
- Added support for User Federated Identity Credential (UserFIC) scenarios through the
IByUserFederatedIdentityCredentialinterface anduser_ficgrant type. #5802
Changes
- Updated NativeInterop to version 0.20.3. #5866
Bug Fixes
- Fixed response handling in
HttpListenerInterceptor.csto ensure the full response is properly closed. #5478 - Fixed macOS detection to include maccatalyst target in desktop platform checks.#5882
Infrastructure & Dependencies
- Extracted reusable MSAL test infrastructure into
Microsoft.Identity.Lab.API. #5864
4.83.1
4.83.0
New Features
- Agent Skills: Added Agent Skills catalog with complete coverage of both Confidential Client Authentication and mTLS PoP flows #5733
- mTLS PoP Skills Guide: Added comprehensive guide for GitHub Copilot Chat covering MSAL.NET authentication, mTLS Proof of Possession, and Federated Identity Credentials #5790
Changes
- Credential Guard Attestation: Integrated native DLL handling for Credential Guard attestation with centralized versioning #5674
Bug Fixes
- IMDSv2 mTLS Auto-Recovery: Implemented automatic recovery from SCHANNEL handshake failures by evicting cached certificates and re-minting #5761
- Managed Identity Fallback Behavior: Restored classic fallback behavior in MSAL MI unless
GetManagedIdentitySourceAsync()is explicitly invoked #5815 - Attestation Token Expiration: Exposed
expires_onfield in attestation tokens for better token lifecycle management #5741 - Service Fabric API Version: Updated Service Fabric managed identity API version from 2019-07-01-preview to 2020-05-01 #5781
- Cached Token Validation: Enhanced
ValidateCachedTokenAsyncto work properly with multiple APIs beyond the initial scope #5764 - Client Credentials Tenant ID: Updated result to properly pass tenant ID in client credentials flow #5754
- Experimental Flag Removal: Removed experimental flag requirement from
IAuthenticationOperationandWithAuthenticationExtension#5699 - OpenTelemetry Exception Handling: Expanded OTel exception handling for Azure Functions compatibility #5720
- ICustomWebUi Security Warning: Added security warnings to
ICustomWebUidocumentation #5704