[Breaking SBOM] transitive dependency to nuget package of IdentityModel.OidcClient must be replaced as it's now unlisted on nuget.org

[eriawan]

Describe the bug
Parent dependency to nuget package of IdentityModel.OidcClient must be replaced as it's now unlisted on nuget.org. Having this issue means that it will bring risky possibility that this nuget package is not supported and it's not available anymore, therefore it breaks SBOM audit. This means we must replace the dependency immediately by equivalent nuget package.
See below detailed suggestions.

Kubernetes C# SDK Client Version
Observed in 16.0.2,

Server Kubernetes Version
N/A, this issue is focusing on concerns on nuget dependency (SBOM) issue.

Dotnet Runtime Version
I use both NET 8.0 and .NET 9.0, but this doesn't matter to this issue

To Reproduce
Steps to reproduce the behavior: N/A.
Current dependency to IdentityModel.OidcClient has risk of breaking SBOM, as this nuget has been unlisted by package owner now.
This is the current look of IdentityModel.OidcClient nuget package on nuget.otg: (I have added some emphasizes) on link of https://www.nuget.org/packages/IdentityModel.OidcClient)

Expected behavior
The nuget package of IdentityModel.OidcClient must be replaced immediately with the suggested nuget package, as suggested by the nuget package's owner. In this case, Duende owns this IdentityModel.OidcClient nuget package, and based on the suggestion on the nuget.org page, we must replace this nuget package with the suggested package of Duende.IdentityModel.OidcClient.

KubeConfig
N/A.

Where do you run your app with Kubernetes SDK (please complete the following information):

• OS: N/A
• Environment: N/A
• Cloud N/A

Additional context
I have done the replacement and compile KubernetesClient (locally) using the Duende.IdentityModel.OidcClient and this includes some changes in the code about some namespaces, and it works fine.

[tg123]

i have an on going pr to remove those dependency #1618
was on vacation, so a bit delayed

sorry :(

[eriawan]

i have an on going pr to remove those dependency #1618 was on vacation, so a bit delayed

sorry :(

No problem. Do you have an estimate of date/month to finish this? Or could I simply propose a PR to fix this issue, including the JWT nuget package issue? I could help with this if you are OK, because on my local I have a working branch with updated dependency to use Duende's Identity, and I will help on updating the problematic JWT nuget package in #1618 .

Apologize if I may seem like chasing you, because this dependency/SBOM problem related to Duende's Identity obsoletion has been there since 2024, and it breaks my SBOM audits when using KubernetesClient, especially within .NET Aspire Hosting that indirectly reference this deleted Identity package (referenced via current KubernetesClient nuget package that is used by Aspire.Hosting package).

[eriawan]

@tg123
Pardon, are you still on vacation? Based on the last comment, I assume you are not on vacation anymore.

When can I have an estimate date to have this fixed? Should I propose a PR instead?
Please confirm. Feel free to let me know if you are currently busy doing something else, so in the meantime I continue to work on my fork of this repo and create a forked KubernetesClient with my own fix for now.

Apologize again if I sound a bit harsh, but the org policy on my current job/project is a bit forcing me and my team to take a definite action (although it may be temporary to use my own fix) to ensure that my team's work should not be disrupted due to broken SBOM, and this broken SBOM is there since (known) end of year 2024.

Let me know if I could help to speed up fixing this issue on your side.

[tg123]

coding part is done, if you can help to add testcase that would be really helpful

[brendandburns]

@tg123 I'll see about adding a test case.