Bug fixes

• Improve User Agent processing in cookie policy extensions. See PR #3824 for details.
• Use LRU cache for issuer address in B2C OpenID Connect event handler to improve performance. See PR #3823 for details.

Dependencies updates

• Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClient, fixing NU1903 build break caused by the GHSA-7j59-v9qr-6fq9 advisory. See PR #3818 for details.
• Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClientBeta, fixing the same advisory. See PR #3827 for details.

Fundamentals

• Migrate tests to Lab.API 2.x. See PR #3837 for details.
• Fix web UI tests. See PR #3838 for details.

New features

• Add WithExtraBodyParameters fluent API for attaching extra body parameters to token acquisition requests. See #3819.
• Add IConfidentialClientApplicationProvider extensibility interface and CachePartitionKey support for silent token acquisition. See #3822.

Bug fixes

• Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See #3825.
• Reject dSTS-shaped Authority values with a clearer exception, steering users to use Instance + TenantId instead. See #3805.
• Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See #3811.

Behavior changes

• B2C OpenID Connect event handler: LRU cache for issuer address. Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See #3821.

Dependencies updates

• Update MSAL.NET to 4.84.1. See #3822.
• Pin Microsoft.Kiota.Abstractions to 1.22.0 for GraphServiceClient. See #3817.
• Bump uuid and @azure/msal-node in SidecarAdapter TypeScript test app. See #3826.
• Bump qs in SidecarAdapter TypeScript test app. See #3829.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #3785.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-, Proxy-, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #3793.

Dependencies updates

• Updated MSAL.NET 4.76.0 → 4.83.1
• Bump System.Security.Cryptography.Pkcs and System.Security.Cryptography.Xml to latest patched versions. See #3799.

Full Changelog: 3.14.1...3.15.0 (3.14.1...3.15.0)

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #3788.

Full Changelog: 4.8.0...4.9.0

What's Changed

• Bump flatted from 3.3.3 to 3.4.2 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in #3753
• Update changelog.md for ID.Web 4.6.0 by @bgavrilMS in #3756
• Add token binding to MicrosoftIdentityMessageHandler by @cpp11nullptr in #3743
• Bump picomatch in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in #3759
• Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments by @Copilot in #3585
• Bump path-to-regexp from 8.3.0 to 8.4.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in #3762
• Upgrade Microsoft Application Insights packages by @RojaEnnam in #3763
• Use Abstractions 12 by @pmaytak in #3761
• Post-4.7.0 by @pmaytak in #3768
• Fix Comp Gov DOTNET-Security-10.0 by @reginayap8 in #3769
• Upgrade CodeQL to V4: Fix 10 CodeQL Analysis Warnings and Errors by @reginayap8 in #3770
• fix warnings by @gladjohn in #3771
• adding examples for using postgres as a distributed cache by @JaredMSFT in #3766
• Suppress AOT configuration-binding SYSLIB warnings in AotCompatibility test app by @Copilot in #3774
• Bump vite from 7.1.11 to 7.3.2 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in #3772
• Skip legacy B2C local-account Todo UI test in WebAppUiTests by @Copilot in #3778
• Fix initialization of ConfidentialClientApplicationOptions in MergedOptions by @cpp11nullptr in #3760
• Bump net8/net9/net10 runtime package baselines to patched crypto servicing versions by @Copilot in #3779
• Fix flaky certificate test failures on CI by @gladjohn in #3780
• MTLS Without Tokens Support by @tlupes in #3747
• Fix CredentialsProvider DI lifetime mismatch causing startup crash in Development by @Avery-Dunn in #3783
• Remove unused DataProtection configuration from Sidecar by @Copilot in #3776

New Contributors

• @RojaEnnam made their first contribution in #3763
• @reginayap8 made their first contribution in #3769
• @JaredMSFT made their first contribution in #3766

Full Changelog: 4.6.0...4.8.0

4.7.0

Bug fixes

• Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #3767.

What's Changed

• Move boilerplate code skills to IdWeb, and add Aspire DevApp demonstrating Blazor authentication components by @Copilot in #3721
• Bump MSAL to 4.83.1 and re-enable Managed Identity CAE tests by @Copilot in #3746
• Bump Abstractions to 11.2 by @bgavrilMS in #3749
• Update documentation to reference Blazor helpers from Microsoft.Identity.Web package by @Copilot in #3723

Full Changelog: 4.5.0...4.6.0

New features

• Add support for certificate store lookup by subject name. See #3742.

Dependencies updates

• Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #3739.
• Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #3740.

New features

• Add AOT-compatible web API authentication for .NET 10+. See #3705 and #3664.
• Propagate long-running web API session key back to callers in user token acquisition. See #3728.
• Add OBO event initialization for OBO APIs. See #3724.
• Add support for calling WithClientClaims flow for token acquisition. See #3623.
• Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #3680.

Bug fixes

• Throw InvalidOperationException with actionable message when a custom credential is not registered. See #3626.
• Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #3717.
• Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #3714.
• Add a retry counter for acquire token and updated tests with a fake secret. See #3682.
• Fix OBO user error handling. See #3712.
• Fix override merging for app token (and others). See #3644.
• Fix certificate reload logic to only trigger on certificate-specific errors. See #3653.
• Update ROPC flow CCA to pass SendX5C to MSAL. See #3671.

Dependencies updates

• Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #3725.
• Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #3730.
• Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #3726.
• Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #3699.
• Update to MSAL 4.81.0. See #3665.

Documentation

• Add documentation for auto-generated session key for long-running OBO session. See #3729.
• Improve the Aspire doc article and skills. See #3695.
• Add an article and agent skill to add Entra ID to an Aspire app. See #3689.
• Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #3667.
• Add Copilot explore tool functionality. See #3694.

Fundamentals

• Remove unnecessary warning suppression. See #3715.
• Migrate labs to Lab.API 2.x (first pass). See #3710.
• Update Sidecar E2E test constants. See #3693.
• Fix intermittent failures in CertificatesObserverTests. See #3687.
• Add validation baseline exclusions. See #3684.
• Add dSTS integration tests. See #3677.
• Fix FIC test. See #3663.
• Update IdentityWeb version, build logic, and validation. See #3659.

New Contributors

• @XiaoxinMS2 made their first contribution in #3677
• @RyAuld made their first contribution in #3687
• @agocke made their first contribution in #3664
• @MZOLN made their first contribution in #3700
• @christian-posta made their first contribution in #3644
• @4gust made their first contribution in #3682
• @rayluo made their first contribution in #3714

New features

• Add AOT-compatible web API authentication for .NET 10+. See #3705 and #3664.
• Propagate long-running web API session key back to callers in user token acquisition. See #3728.
• Add OBO event initialization for OBO APIs. See #3724.
• Add support for calling WithClientClaims flow for token acquisition. See #3623.
• Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #3680.

Bug fixes

• Throw InvalidOperationException with actionable message when a custom credential is not registered. See #3626.
• Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #3717.
• Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #3714.
• Add a retry counter for acquire token and updated tests with a fake secret. See #3682.
• Fix OBO user error handling. See #3712.
• Fix override merging for app token (and others). See #3644.
• Fix certificate reload logic to only trigger on certificate-specific errors. See #3653.
• Update ROPC flow CCA to pass SendX5C to MSAL. See #3671.

Dependencies updates

• Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #3725.
• Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #3730.
• Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #3726.
• Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #3699.
• Update to MSAL 4.81.0. See #3665.

Documentation

• Add documentation for auto-generated session key for long-running OBO session. See #3729.
• Improve the Aspire doc article and skills. See #3695.
• Add an article and agent skill to add Entra ID to an Aspire app. See #3689.
• Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #3667.
• Add Copilot explore tool functionality. See #3694.

Fundamentals

• Remove unnecessary warning suppression. See #3715.
• Migrate labs to Lab.API 2.x (first pass). See #3710.
• Update Sidecar E2E test constants. See #3693.
• Fix intermittent failures in CertificatesObserverTests. See #3687.
• Add validation baseline exclusions. See #3684.
• Add dSTS integration tests. See #3677.
• Fix FIC test. See #3663.
• Update IdentityWeb version, build logic, and validation. See #3659.