chore(deps): update nuget non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
Azure.Identity (source)	1.12.0 -> 1.16.0
Azure.Security.KeyVault.Certificates (source)	4.6.0 -> 4.8.0
Azure.Security.KeyVault.Secrets (source)	4.6.0 -> 4.8.0
Microsoft.AspNetCore.Mvc.Core (source)	2.2.5 -> 2.3.0
Microsoft.IdentityModel.Protocols.OpenIdConnect	8.1.0 -> 8.14.0
Microsoft.IdentityModel.Tokens	8.1.0 -> 8.14.0
Microsoft.NET.Sdk.Functions	4.4.1 -> 4.6.0
System.IdentityModel.Tokens.Jwt	8.1.0 -> 8.14.0

---

Release Notes

Azure/azure-sdk-for-net (Azure.Identity)

v1.16.0

Compare Source

1.16.0 (2025-09-09)

Features Added

• Added a new DefaultAzureCredential constructor that accepts a custom environment variable name for credential configuration. This provides flexibility beyond the default AZURE_TOKEN_CREDENTIALS environment variable. The constructor accepts any environment variable name and uses the same credential selection logic as the existing AZURE_TOKEN_CREDENTIALS processing.
• Added DefaultAzureCredential.DefaultEnvironmentVariableName constant property that returns "AZURE_TOKEN_CREDENTIALS" for convenience when referencing the default environment variable name.
• AzureCliCredential, AzurePowerShellCredential, and AzureDeveloperCliCredential now throw an AuthenticationFailedException when the TokenRequestContext includes claims, as these credentials do not support claims challenges. The exception message includes guidance for handling such scenarios.
• When AZURE_TOKEN_CREDENTIALS or the equivalent custom environment variable is configured to ManagedIdentityCredential, the DefaultAzureCredential does not issue a probe request and performs retries with exponential backoff.

Bugs Fixed

• Fixed AzureDeveloperCliCredential hanging when the AZD_DEBUG environment variable is set by adding the --no-prompt flag to prevent interactive prompts (#​52005).
• BrokerCredential is now included in the chain when AZURE_TOKEN_CREDENTIALS is set to dev.
• Fixed an issue that prevented ManagedIdentityCredential from utilizing the token cache in Workload Identity Federation environments.
• Fixed a bug in DefaultAzureCredential that caused the credential chain to be constructed incorrectly when using AZURE_TOKEN_CREDENTIALS in combination with DefaultAzureCredentialOptions.

Other Changes

• The BrokerCredential is now always included in the DefaultAzureCredential chain. If the Azure.Identity.Broker package is not referenced, an exception will be thrown when GetToken is called, making its behavior consistent with the rest of the credentials in the chain.
• Updated Microsoft.Identity.Client dependency to version 4.76.0.
• Updated Microsoft.Identity.Client.Extensions.Msal dependency to version 4.76.0.

v1.15.0

Compare Source

1.15.0 (2025-08-07)

Breaking Changes

Behavioral Breaking Changes

• Deprecated SharedTokenCacheCredential. The supporting credential (SharedTokenCacheCredential) was a legacy mechanism for authenticating clients using credentials provided to Visual Studio. For brokered authentication, consider using InteractiveBrowserCredential instead. The following changes have been made:
  • SharedTokenCacheCredential class is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheCredentialOptions class is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • DefaultAzureCredentialOptions.ExcludeSharedTokenCacheCredential property is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheUsername property is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheCredential is no longer included in the DefaultAzureCredential authentication flow

Bugs Fixed

• Tenant ID comparisons in credential options are now case-insensitive. This affects AdditionallyAllowedTenants values which will now be matched against tenant IDs without case sensitivity, making the authentication more resilient to case differences in tenant IDs returned from WWW-Authenticate challenges (#​51693).

Other Changes

• BrokerAuthenticationCredential has been renamed as BrokerCredential.

• Added the EditorBrowsable(Never) attribute to property VisualStudioCodeTenantId as TenantId is preferred. The VisualStudioCodeTenantId property exists only to provide backwards compatibility.

v1.14.2

Compare Source

1.14.2 (2025-07-10)

Other changes

• Updated Microsoft.Identity.Client dependency to version 4.73.1

v1.14.1

Compare Source

1.14.1 (2025-07-08)

Bugs Fixed

• Added support in AzurePowerShellCredential for the Az.Accounts 5.0.0+ (Az 14.0.0+) breaking change where Get-AzAccessToken returns PSSecureAccessToken with a SecureString Token property instead of plaintext.

v1.14.0

Compare Source

1.14.0 (2025-05-13)

Other Changes

• Removed references to Username, Password, AZURE_USERNAME, and AZURE_PASSWORD in XML comments from EnvironmentCredentialOptions and EnvironmentCredential due to lack of MFA support. See MFA enforcement details.
• Marked AZURE_USERNAME and AZURE_PASSWORD as obsolete due to lack of MFA support. See MFA enforcement details.
• Added support for the AZURE_TOKEN_CREDENTIALS environment variable to DefaultAzureCredential, which allows for choosing between 'deployed service' and 'developer tools' credentials. Valid values are 'dev' for developer tools and 'prod' for deployed service.

v1.13.2

Compare Source

1.13.2 (2025-01-14)

Bugs Fixed

• Fixed an issue where setting DefaultAzureCredentialOptions.TenantId twice throws an InvalidOperationException (#​47035)
• Fixed an issue where ManagedIdentityCredential does not honor the CancellationToken passed to GetToken and GetTokenAsync. (#​47156)
• Fixed an issue where some credentials in DefaultAzureCredential would not fall through to the next credential in the chain under certain exception conditions.
• Fixed a regression in ManagedIdentityCredential when used in a ChainedTokenCredential where the invalid json responses do not fall through to the next credential in the chain. (#​47470)

v1.13.1

Compare Source

1.13.1 (2024-10-24)

Bugs Fixed

• Fixed a regression that prevented ManagedIdentityCredential from attempting to detect if Workload Identity is enabled in the current environment. #​46653
• Fixed a regression that prevented DefaultAzureCredential from progressing past ManagedIdentityCredential in some scenarios where the identity was not available. #​46709

v1.13.0

Compare Source

1.13.0 (2024-10-14)

Features Added

• ManagedIdentityCredential now supports specifying a user-assigned managed identity by object ID.

Bugs Fixed

• If DefaultAzureCredential attempts to authenticate with the MangagedIdentityCredential and it receives either a failed response that is not json, it will now fall through to the next credential in the chain. #​45184
• Fixed the request sent in AzurePipelinesCredential so it doesn't result in a redirect response when an invalid system access token is provided.
• Updated to version 4.65.0 of Microsoft.Identity.Client to address a bug preventing the use of alternate authority types such as dStS (4927) .

Other Changes

• The logging level passed to MSAL now correlates to the log level configured on your configured AzureEventSourceListener. Previously, the log level was always set to Microsoft.Identity.Client.LogLevel.Info.
• AzurePowerShellCredential now utilizes the AsSecureString parameter to Get-AzAccessToken for version 2.17.0 and greater of the Az.Accounts module.
• Improved error logging for AzurePipelinesCredential.

v1.12.1

Compare Source

1.12.1 (2024-09-26)

Bugs Fixed

• Updated to version 4.65.0 of Microsoft.Identity.Client to address a bug preventing the use of alternate authority types such as dStS (4927) .

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (Microsoft.IdentityModel.Protocols.OpenIdConnect)

v8.14.0

Compare Source

====

Bug Fixes

• Switch back to use ValidationResult instead of OperationResult when validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See #​3299 for details.

v8.13.1

Compare Source

====

Dependencies

Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0

Bug Fixes

• Fixed a decompression failure happening for large JWE payloads. See #​3286 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

• Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See #​3284 for details.

v8.13.0

Compare Source

====

Fundamentals

• CaseSensitiveClaimsIdentity.SecurityToken setter is now protected internal (was internal). See PR #​3278 for details.
• Update .NET SDK version to 9.0.108 used when building or running the code. See PR #​3274 for details.
• Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See #​3280 for details.

v8.12.1

Compare Source

====

Fundamentals

• Update .NET SDK version to 9.0.107 used when building or running the code. See #​3385 for details.
• To keep our experimental code separate from production code, all files associated with experimental features have been moved to the Experimental folders. See PR #​3261 for details.
• Experimental code leaked into TokenValidationResult from early prototypes. See PR #​3259 for details.

v8.12.0

Compare Source

====

New Features

• Enhance ConfigurationManager with event handling
  Added event handling capabilities to the ConfigurationManager, enabling consumers to subscribe to configuration change events. This enhancement improves extensibility and allows more responsive applications. For details see #​3253

Bug Fixes

• Add expected Base64UrlEncoder.Decode overload for NET6 and 8
  Introduced the expected overload of Base64UrlEncoder.Decode for .NET 6 and 8, ensuring compatibility and preventing missing method issues on these frameworks.
  For details see #​3249

Fundamentals

• Add AI assist rules
  Incorporated AI assist rules to enhance AI agents effectiveness.
  For details see #​3255
• Update PublicApiAnalyzers and BannedApiAnalyzers to 4.14.0
  Upgraded analyzer packages for improved diagnostics and code consistency (in particular delegates are added).
  For details see #​3256
• Move suppression of RS006 to csproj
  Centralized suppression of RS006 warnings in project files for easier management.
  For details see #​3230

v8.11.0

Compare Source

=====

New Features:

• Microsoft.IdentityModel now exposes the AadIssuerValidator factory method publicly to enable caching functionality for AadIssuerValidator instances. See issue #​3245 for details.
• Added a new public async API: JsonWebTokenHandler.DecryptTokenWithConfigurationAsync, which decrypts a JWE token using keys from either TokenValidationParameters or, if not present, from configuration (such as via a ConfigurationManager). This enhancement improves developer experience by enabling asynchronous, cancellation-aware JWE decryption scenarios, aligning with modern .NET async patterns and making integration with external key/configuration sources more robust and observable. See PR #​3243 for details.

v8.10.0

Compare Source

=====

Bug Fixes

• Corrected casing of the Type attribute in SubjectConfirmationData. See #​3206.
• Removed Microsoft.Bcl.Memory dependency for pre-.NET 9.0 targets. See #​3220 to avoid build warnings with the other target frameworks
• Aligned Microsoft.Extensions.Logging.Abstractions version to 8.0.0 for .NET 9 to match other targets. See #​3226.

Fundamentals

• Introduced Long-Term Support (LTS) policy. See #​3228 and #​3232.

v8.9.0

Compare Source

=====

Bug Fixes

• syncAfter has been updated to preserve UTC information, addressing a bug where GetConfigurationAsync does not refresh configuration in ConfigurationManager. See #​3213.
• Fixed a null reference issue in KeyInfo. See (#​3203)[#​3203].

New Features

• Introduced a new delegate for reading custom token payload values on JsonWebToken. See #​2981.
• Added an overload for ReadJsonWebToken to take a ReadOnlyMemory. See #​3205.

Fundamentals

• Utilized IList to avoid enumerator allocation during audience validation. See #​3204.

v8.8.0

Compare Source

=====

New Features

• Adds the ability for the metadata refresh to be done as a blocking call, as per 8.0.1 behavior. This is done through the Switch.Microsoft.IdentityModel.UpdateConfigAsBlocking switch. If set, configuration calls will be blocking when metadata is updated, otherwise, if token arrive with a new signing keys, validation errors will be returned to the caller. See PR #​3193 for details.
• Identity.Model updates some log and error messages (IDX10214, IDX10215). If the information is needed for debugging purposes, it can be reverted via the Switch.Microsoft.IdentityModel.DoNotScrubExceptions AppContextSwitch. See PR #​3195 and https://aka.ms/identitymodel/app-context-switches for details.
• Change all plain object locks to System.Thread.Lock objects for .NET 9 or greater. See PRs #​3185 and #​3189 for details.

v8.7.0

Compare Source

=====

Bug Fixes

• Add back internal methods IsRecoverableException and IsRecoverableExceptionType whose signatures were changed in the previous version. See #​3181.

New Features

• Make Cnf class public and move it to Microsoft.IdentityModel.Tokens package. See #​3165.

v8.6.1

Compare Source

=====

Bug fix

• Microsoft.IdentityModel now triggers a configuration refresh if token decryption fails. See issue #​3148 for details.
• Fix a bug in JsonWebTokenHandler where JwtTokenDecryptionParameters's Alg and Enc were not set during token decryption, causing IDX10611 and IDX10619 errors to show null values in the messages. See issue #​3003 for details.

Fundamentals

• For development, IdentityModel now has a global.json file to specify the .NET SDK version. See issue #​2995 for details.

v8.6.0

Compare Source

=====

New Features

• TokenValidationParameters has a new boolean property TryAllDecryptionKeys that let you choose whether to try all decrypt keys when no key matches the token decrypt key IDs. By default it's set to true (legacy behavior) but you can set it to false to avoid tyring all keys which is more performant. See #​3128
• Promote KeyInfo.MatchesKey from internal to protected internal virtual to enable SAML extensibility (for CoreWcf). See #​3140

Fundamentals

• Update dependency on Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2 to avoid package downgrade in apps on .NET 9 using a netstandard2.0 library referencing logging.abstractions. See 3143
• Add more tests for encrypted tokens. See #​3139

v8.5.0

Compare Source

=====

Reverting previous breaking change

• The Configuration Manager has been reverted to version 8.3.1. The changes made in 8.4.0 assume the configuration manager is used as a singleton, which is similar to marking the type as disposable. We have since learned that adding IDisposable is a breaking change, so we are following semver guidance and reverting and releasing a minor version (8.5.0).
• Cherry-picked Changes: Included changes from PR #​3022 and #​3104.

v8.4.0

Compare Source

=====

New Features

• App context switch allows blocking or non-blocking calls for configuration. See PR #​3106 for details and issue #​3082 for details.
• IdentityModel now enables symmetric and asymmetric keys to be created publicly with JWK. See #​3094 for details.
• IdentityModel now allows specifying the HTTP protocol version and version policy. See #​2808 for details.

Repair items

• Add request count and duration telemetry for configuration requests. See #​3022 for details.
• KeyID should be present in exception messages and is no longer PII. See #​3104 for details.

Fundamentals

• Fix spelling issues in xml comments. See #​3117 for details.
• Fix comment coverage in PR builds. See #​3079 for details.

Work related to redesign of IdentityModel's token validation logic #​2711

• See #​3056. #​3100, #​3017, and #​3111.
• Add internal virtual on TokenHandler. See #​3084 for details.

v8.3.1

Compare Source

=====

Bug Fixes

• Respect TVP.RequireAudience when set to false. See #​3055
• For net4.6.2 select RSACng for PSS support. See #​3097
• Fix package downgrade in consuming libraries. See#​3062
• Fix integer overflow in AuthenticationEncryptionProvider.cs. See #​3063

Fundamentals

• Removed unused property on JsonWebToken ClaimsIdentity. See #​3071 for details.
• Upgrade to C# 13. See #​2998
• Use new Base64Url API. See #​22817
• Add warning quality check. See #​3067
• Update dotnet actions. see #​3074
• Fix warnings. See #​3081
• Test updates in JsonWebToken. See #​3080.

Work related to redesign of IdentityModel's token validation logic #​2711

• #​3027, #​3028, #​3051, #​3054

v8.3.0

Compare Source

=====

New features

Work related to redesign of IdentityModel's token validation logic #​2711

• SAML and SAML2 new model validation: Token Replay. See #​2994
• Extensibility tests: Token Type - JWT (#​3030), Issuer - SAML and SAML2 (#​3026), Algorithm and Signature - JWT, SAML and SAML2 (#​3034), Token Replay - JWT, SAML and SAML2 (#​3032), Issuer signing key - JWT, SAML and SAML2 (#​3029)
• Avoid code duplication in extensibility testing. See #​3041
• Extensibility Testing: Refactor. See #​3011
• Remove duplicate code in extensibility tests. See #​3044

Bug fixes

• Fix bug with AadIssuerValidator. See #​3042
• Fixed SignedHttpRequest flaky test. See #​3037

Fundamentals

• Install all .NET versions in pipeline to fix run tests task. See #​3018
• Changelog for 8.2.1. See #​3009
• Remove unnecessary AoT test project. See in #​3045
• Fix powershell script for nuget update. See #​3046
• Update to next version. See #​3010
• Disable Coverage PR comments. See #​3048
• Updates GitHub Action to support long paths, See #​3049
• Stack parameters to improve reading of code. by @​brentschmaltz in #​3031

New Contributors

• @​ssmelov made their first contribution in #​3042

v8.2.1

Compare Source

=====

New features

• Update to use .NET 9 GA. See 2990.

Bug fixes

• Remove dependency on Microsoft.Bcl.TimeProvider for .NET 8+ targets. See 2935.
• Update cgmanifest to align with the JSON schema. See 2969.

Fundamentals

• Streamline token creation by using SecurityTokenDescriptor. See 2993.
• Prevent inlining to guarantee stack frames in test. See 2999.

Work related to redesign of IdentityModel's token validation logic #​2711

• Simplify stack frame caching. See 2976.
• Implement new model for reading SAML and SAML2 tokens. See 2980.
• Implement new model for validating SAML signature. See 2950.
• Add tests for IssuerExtensibility. See 2987.
• Switch to new validation model for SAML and SAML2 issuer signing key. See 2965.
• Switch to new validation model for SAML and SAML2 algorithm. See 2984.

v8.2.0

Compare Source

=====

Fundamentals

• Update System.Text.Json to 8.0.5 CVE-2024-43485. See 2892.
• Using FixedTimeEquals in NETCore targets. See 2857.
• Updated .NET 9 to RC 2 2898.
• Adds ability to create token without kid 2968
• Enables code coverage in PRs 2946
• Various test improvements:
• #​2953
• #​2955
• #​2951
• #​2952
• #​2947

Work related to redesign of IdentityModel's token validation logic #​2711

• Validates Audience for SAML2TokenHandler with New Model 2863
• Improvements to AudienceValidation 2902
• Added properties to ValidationResult 2923
• Implements Audience and Lifetime validations in SamlSecurityTokenHandler 2925
• Implements Issuer validation in SamlSecurityTokenHandler 2948

v8.1.2

Compare Source

=====

Bug fixes

• CaseSensitiveClaimsIdentity.Clone() now returns a CaseSensitiveClaimsIdentity as expected. See 2879
• Multiple unused and unusable (for the moment) public APIs were removed. These were introduced by mistake leaking from the work done on logging and exception handling. See 2888. No major version changed needed as these APIs were not usable per se.

Fundamentals

• Enabled PublicApiAnalyzers to better understand and trace changes to the public API. See2782

v8.1.1

Compare Source

=====

Bug fixes

• Fix bug where ConfigurationManager was updating keys too frequently. See 2866 for details.

---

Configuration

📅 Schedule: Branch creation - "before 07:00 on Thursday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.