chore(deps): update nuget non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Azure.Security.KeyVault.Secrets (source)	4.5.0 -> 4.7.0
Microsoft.IdentityModel.Tokens	7.0.2 -> 7.7.1

---

Release Notes

Azure/azure-sdk-for-net (Azure.Security.KeyVault.Secrets)

v4.7.0

Compare Source

4.7.0 (2024-10-14)

Features Added

• Support for Continuous Access Evaluation (CAE).

v4.6.0

Compare Source

4.6.0 (2024-02-14)

Changes from both the last release and the last beta include:

Features Added

• Added CertificateProperties.X509ThumbprintString to return the hexadecimal string representation of the SHA-1 hash of the certificate.
  CertificateProperties.X509Thumbprint has been hidden but is still available.

Breaking Changes

• Renamed tags reported on CertificateClient activities to following OpenTelemetry attribute naming conventions:
  • certificate to az.keyvault.certificate.name
  • version to az.keyvault.certificate.version
  • issuer to az.keyvault.certificate.issuer.name

Bugs Fixed

• When a Key Vault is moved to another tenant, the client is reauthenticated.

Other Changes

• The default service version is now "7.5".
• Distributed tracing with ActivitySource is stable and no longer requires the Experimental feature-flag.

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (Microsoft.IdentityModel.Tokens)

v7.7.1

Compare Source

7.7.1

Bug Fix

• Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #​2734 for details.

v7.7.0

7.7.0

CVE package updates

CVE-2024-30105

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #​2715 for details.

v7.6.2

Compare Source

7.6.2

Bug Fix:

• Revert reduced allocations in AadIssuerValidator by not using string.Replace where appropriate due to an index out-of-range error.

v7.6.1

Compare Source

=====

New Features:

• Added an Audiences member to the SecurityTokenDescriptor to make it easier to define multiple audiences in JWT and SAML tokens. Addresses issue #​1479 with PR #​2575
• Add missing metadata parameters to OpenIdConnectConfiguration. See issue #​2498 for details.

Bug Fixes:

• Fix over-reporting of IDX14100. See issue #​2058 and PR #​2618 for details.
• JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #​1598 for details.

Performance Improvements:

• No longer for every string claim, calling DateTime.TryParse on each value, whether it is expected to be a DateTime or not. See issue #​2615 for details.

v7.6.0

Compare Source

=====

New Features:

• Update JsonWebToken - extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #​2581, #​2583, and #​2495 for details.

Bug Fixes:

• JWE header algorithm is now compliant to IANA document. See issue #​2089 for details.

Performance Improvements:

• Reduce the number of internal array allocations that need to happen for each claim set, see PR #​2596.

Fundamentals:

• Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #​2598.
• Update perl scrip for OneBranch build. See PR #​2602.
• Add langversion 12 to benchmark tests. See PR #​2601.
• Removed unused build.cmd file. See PR #​2605.
• Create CodeQL exclusions file. See PR #​2609.
• Fix variable usage in AOT script. See PR #​2610.
• Move Microsoft.IdentityModel.Tokens delegates to a new file. See PR #​2606

v7.5.2

Compare Source

=====

Bug Fixes:

• Validate authentication tag length so a JWE with appended characters will not be considered a valid token. See issues #​2201, #​1641, PR #​2569, and IDX10625 Wiki for details.

Fundamentals:

• App Context Switches in Identity Model 7x are now documented here.

Performance Improvements:

• In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in VerifyRsa/VerifyECDsa. See PR #​2589 for more details.
• Reduce allocations in ValidateSignature by using a collection expression instead of new List<SecurityKey> { key }, to optimize for the single element case. See PR #​2586 for more details.
• Remove Task allocation in AadIssuerValidator. See PR #​2584 for more details.

v7.5.1

Compare Source

=====

Performance Improvements:

• Use Base64.DecodeFromUtf8InPlace for base64 decode that saves 12% on token read time. Note that JsonWebToken no longer throws ArgumentOutOfRangeException and ArgumentException exceptions. See PR #​2504.

Fundamentals:

• Moved token lifetime validation logic to an internal static class. See PR #​2547.

Bug Fix:

• Contribution from @​martinb69 to fix correct parsing of UserInfoEndpoint. See issue #​2548 for details.

v7.5.0

=====

New features

• Supports the 1.1 version of the Microsoft Entra ID Endpoint #​2503

v7.4.1

======

Bug Fixes:

• SamlSecurityTokenHandler and Saml2SecurityTokenHandler now can fetch configuration when validating SAML issuer and signature. See PR #​2412
• JsonWebToken.ReadToken now correctly checks Dot3 index in JWE. See PR #​2501

Engineering Excellence:

• Remove reference to Microsoft.IdentityModel.Logging in Microsoft.IdentityModel.Protocols, which already depends on it via Microsoft.IdentityModel.Tokens. See PR #​2508
• Adjust uppercase json serialization tests to fix an unreliable test method, add consistency to naming. See PR #​2512
• Disable the 'restore' and 'build' steps of 'build and pack' in build.sh, improving speed. See PR #​2521

v7.4.0

======

New Features:

• Introduced an injection point for external metadata management and adjusted the issuer Last Known Good (LKG) to maintain the state within the issuer validator. See PR #​2480.
• Made an internal virtual method public, enabling users to provide signature providers. See PR #​2497.

Performance Improvements:

• Added a new JsonWebToken constructor that accepts Memory for improved performance, along with enhancements to existing constructors. More information can be found in issue #​2487 and in PR #​2458.

Fundamentals:

• Resolved the issue of duplicated log messages in the source code and made IDX10506 log message more specific. For more details, refer to PR #​2481.
• Enhanced Json serialization by ensuring the complete object is always read. This improvement can be found in PR #​2491.

Engineering Excellence:

• Streamlined the build and release process by replacing the dependency on updateAssemblyInfo.ps1 with the Version property. Check out the details in PR #​2494.
• Excluded the packing of Benchmark and TestApp projects for a more efficient process. Details available in PR #​2496.

v7.3.1

Compare Source

======

Bug Fixes:

• Replace propertyName with MetadataName constant. See issue #​2471 for details.
• Fix 6x to 7x regression where mixed cases OIDC json was not correctly process. See #​2404 and #​2402 for details.

Performance Improvements:

• Update the benchmark configuration. See issue #​2468.

Documentation:

• Update comment for azp in JsonWebToken. See #​2475 for details.
• Link to breaking change announcement. See [#​2478].
• Fix typo in log message. See [#​2479].

v7.3.0

Compare Source

======

New Features:

Addition of the ClientCertificates property to the HttpRequestData class enables exposure of certificate collection involved in authenticating the client against the server and unlock support of new scenarios within the SDK. See PR #​2462 for details.

Bug Fixes:

Fixed bug where x5c property is empty in JwtHeader after reading a JWT containing x5c in its header, issue #​2447, see PR #​2460 for details.
Fixed bug where JwtPayload.Claim.Value was not culture invariant #​2409. Fixed by PRs #​2453 and #​2461.
Fixed bug where Guid values in JwtPayload caused an exception, issue #​2439. Fixed by PR #​2440.

Performance Improvements:

Remove linq from BaseConfigurationComparer, improvement #​2464, for additional details see PR #​2465.

Engineering Excellence:

New benchmark tests for AsymmetricAdapter signatures. For details see PR #​2449.

v7.2.0

Compare Source

======

Performance Improvements:

Reduce allocations and transformations when creating a token #​2395.
Update Esrp Code Signing version to speed up release build #​2429.

Engineering Excellence:

Improve benchmark consistency #​2428.
Adding P50, P90 and P100 percentiles to benchmarks #​2411.
Decouple benchmark tests from test projects #​2413.
Include pack step in PR builds #​2442.

Fundamentals:

Improve logging in Wilson for failed token validation when key not found #​2436.
Remove conditional Net8.0 compilation #​2424.

v7.1.2

Compare Source

======

Security fixes:

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

v7.0.3

Compare Source

======

Bug Fixes:

• Fix errors like the following reported by multiple customers at dotnet/aspnetcore#51005 when they tried to upgrade their app using AddMicrosoftIdentityWebApp to .NET 8. See PR for details.
• Fix compatibility issue with 6x when claims are a bool. See issue #​2354 for details.

---

Configuration

📅 Schedule: Branch creation - "before 07:00 on Thursday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.