Bump System.IdentityModel.Tokens.Jwt from 6.5.0 to 6.8.0

[dependabot-preview]

Bumps System.IdentityModel.Tokens.Jwt from 6.5.0 to 6.8.0.

Release notes

Sourced from System.IdentityModel.Tokens.Jwt's releases.

6.8.0

Bug fixes

• Resolve encryption key when Kid is not present in token #1511
• Objects overriding GetHashCode also override Equals #1536

Enhancements and features

• Improve empty audience error message #1488
• Enveloped Signature Writer should be able to determine the Digest algorithm from signing algorithm #1508
• Add Claims and PropertyBag properties to TokenValidationResult #1514
• Throw SecurityTokenSignatureValidationFailedException when none of the provided keys verify the signature #1515
• Add message for all keys were not supported #1520
• Add TokenType to SecurityTokenDescriptor. #1522
• Remove locks in SignatureProviders #1535

6.7.1

Reverted Saml2AuthenticationContext to previous behavior (< v6.7.0) where IsAbsoluteUri check is done only when DeclarationReference is not null (AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1480).

6.7.0

Features

• Adjusted SignedHttpRequest logic to control optional validation of claims.
• Added Microsoft.CodeAnaylsis.FxCopAnalyzers to validate code.
• Added SecurityKey.IsSupportedAlgorithm API to check if a SecurityKey / Algorithm is supported.

Bug Fixes

• SamlSerializer fails to validate token using an XmlReader created from a XDocument.
• Null reference possible in logging when using the IDX13300 and IDX13107 log messages.
• When creating a TokenValidationResult and setting the Exception property, ensure IsValid is set to false.
• Use CultureInvariant when parsing double values.

Pull Requests click here.

Bug fixes click here.

6.6.0

Features

• OpenIdConnectConfiguration supports TokenIntrospectionEndpoint information with first class properties (#1411).
• TokenValidationParameters has user controlled validation of Algorithms and TokenType (#1413, #1385).
  • AlgorithmValidator - delegate allows users to check algorithm at runtime.
  • ValidAlgorithms - a list of algorithms that are allowed, if set will be honored.
  • TypeValidator - delegate allows users to check token type at runtime.
  • ValidTypes - a list of token types that are allowed, if set will be honored.
• Saml tokens will use SecurityTokenDescriptor.Claims when creating tokens (#1417).
• User can control if all possible keys should be tried to validate token (#1399.

Bug Fixes

• All supported asymmetric algorithms are checked for key size (delegates are now called before checking if validation should occur) (#1236).
• Null reference possible in logging (#1406)

Commits

• 824068a Update version to 6.8.0
• 91acf95 Objects overriding GetHashCode also override Equals (#1536)
• 31d1dad Add TokenType to SecurityTokenDescriptor. (#1522)
• bbf721f added ability to set object pool size
• 00d4602 remove locks on RsaSignatureProviderProxy
• 8a82dea addid DisposeObjectPool
• 7058653 Add message for all keys were not supported (#1520)
• c4ee26d Add Claims and PropertyBag properties to TokenValidationResult (#1514)
• 92580d7 Throw SecurityTokenSignatureValidationFailedException when none of the provid...
• 13b4d68 Resolve encryption key when Kid is not present in token (#1511)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)