chore(deps): update all non-major dependencies

[marvin-serp-bot]

This PR contains the following updates:

Package	Type	Update	Change
Microsoft.AspNetCore.Authentication.OpenIdConnect (source)	nuget	patch	7.0.14 -> 7.0.20
Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation (source)	nuget	patch	7.0.14 -> 7.0.20
Microsoft.IdentityModel.Protocols.OpenIdConnect	nuget	minor	7.0.3 -> 7.7.1
Microsoft.VisualStudio.Azure.Containers.Tools.Targets	nuget	minor	1.18.1 -> 1.21.0
Serilog.AspNetCore	nuget	patch	8.0.0 -> 8.0.3
Serilog.Settings.Configuration	nuget	patch	8.0.0 -> 8.0.4
alpine	final	minor	3.20 -> 3.21

---

Release Notes

dotnet/aspnetcore (Microsoft.AspNetCore.Authentication.OpenIdConnect)

v7.0.20: .NET 7.0.20

Release

v7.0.19: .NET 7.0.19

Release

v7.0.18: .NET 7.0.18

Release

v7.0.17: .NET 7.0.17

Release

v7.0.16: .NET 7.0.16

Release

v7.0.15: .NET 7.0.15

Release

AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet (Microsoft.IdentityModel.Protocols.OpenIdConnect)

v7.7.1

Compare Source

7.7.1

Bug Fix

• Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #​2734 for details.

v7.7.0

7.7.0

CVE package updates

CVE-2024-30105

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #​2715 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock.
  .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #​2722 for details.

v7.6.2

Compare Source

7.6.2

Bug Fix:

• Revert reduced allocations in AadIssuerValidator by not using string.Replace where appropriate due to an index out-of-range error.

v7.6.1

Compare Source

=====

New Features:

• Added an Audiences member to the SecurityTokenDescriptor to make it easier to define multiple audiences in JWT and SAML tokens. Addresses issue #​1479 with PR #​2575
• Add missing metadata parameters to OpenIdConnectConfiguration. See issue #​2498 for details.

Bug Fixes:

• Fix over-reporting of IDX14100. See issue #​2058 and PR #​2618 for details.
• JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #​1598 for details.

Performance Improvements:

• No longer for every string claim, calling DateTime.TryParse on each value, whether it is expected to be a DateTime or not. See issue #​2615 for details.

v7.6.0

Compare Source

=====

New Features:

• Update JsonWebToken - extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #​2581, #​2583, and #​2495 for details.

Bug Fixes:

• JWE header algorithm is now compliant to IANA document. See issue #​2089 for details.

Performance Improvements:

• Reduce the number of internal array allocations that need to happen for each claim set, see PR #​2596.

Fundamentals:

• Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #​2598.
• Update perl scrip for OneBranch build. See PR #​2602.
• Add langversion 12 to benchmark tests. See PR #​2601.
• Removed unused build.cmd file. See PR #​2605.
• Create CodeQL exclusions file. See PR #​2609.
• Fix variable usage in AOT script. See PR #​2610.
• Move Microsoft.IdentityModel.Tokens delegates to a new file. See PR #​2606

v7.5.2

Compare Source

=====

Bug Fixes:

• Validate authentication tag length so a JWE with appended characters will not be considered a valid token. See issues #​2201, #​1641, PR #​2569, and IDX10625 Wiki for details.

Fundamentals:

• App Context Switches in Identity Model 7x are now documented here.

Performance Improvements:

• In .NET 6 or greater, use a temporary buffer to reduce intermediate allocation in VerifyRsa/VerifyECDsa. See PR #​2589 for more details.
• Reduce allocations in ValidateSignature by using a collection expression instead of new List<SecurityKey> { key }, to optimize for the single element case. See PR #​2586 for more details.
• Remove Task allocation in AadIssuerValidator. See PR #​2584 for more details.

v7.5.1

Compare Source

=====

Performance Improvements:

• Use Base64.DecodeFromUtf8InPlace for base64 decode that saves 12% on token read time. Note that JsonWebToken no longer throws ArgumentOutOfRangeException and ArgumentException exceptions. See PR #​2504.

Fundamentals:

• Moved token lifetime validation logic to an internal static class. See PR #​2547.

Bug Fix:

• Contribution from @​martinb69 to fix correct parsing of UserInfoEndpoint. See issue #​2548 for details.

v7.5.0

=====

New features

• Supports the 1.1 version of the Microsoft Entra ID Endpoint #​2503

v7.4.1

======

Bug Fixes:

• SamlSecurityTokenHandler and Saml2SecurityTokenHandler now can fetch configuration when validating SAML issuer and signature. See PR #​2412
• JsonWebToken.ReadToken now correctly checks Dot3 index in JWE. See PR #​2501

Engineering Excellence:

• Remove reference to Microsoft.IdentityModel.Logging in Microsoft.IdentityModel.Protocols, which already depends on it via Microsoft.IdentityModel.Tokens. See PR #​2508
• Adjust uppercase json serialization tests to fix an unreliable test method, add consistency to naming. See PR #​2512
• Disable the 'restore' and 'build' steps of 'build and pack' in build.sh, improving speed. See PR #​2521

v7.4.0

======

New Features:

• Introduced an injection point for external metadata management and adjusted the issuer Last Known Good (LKG) to maintain the state within the issuer validator. See PR #​2480.
• Made an internal virtual method public, enabling users to provide signature providers. See PR #​2497.

Performance Improvements:

• Added a new JsonWebToken constructor that accepts Memory for improved performance, along with enhancements to existing constructors. More information can be found in issue #​2487 and in PR #​2458.

Fundamentals:

• Resolved the issue of duplicated log messages in the source code and made IDX10506 log message more specific. For more details, refer to PR #​2481.
• Enhanced Json serialization by ensuring the complete object is always read. This improvement can be found in PR #​2491.

Engineering Excellence:

• Streamlined the build and release process by replacing the dependency on updateAssemblyInfo.ps1 with the Version property. Check out the details in PR #​2494.
• Excluded the packing of Benchmark and TestApp projects for a more efficient process. Details available in PR #​2496.

v7.3.1

Compare Source

======

Bug Fixes:

• Replace propertyName with MetadataName constant. See issue #​2471 for details.
• Fix 6x to 7x regression where mixed cases OIDC json was not correctly process. See #​2404 and #​2402 for details.

Performance Improvements:

• Update the benchmark configuration. See issue #​2468.

Documentation:

• Update comment for azp in JsonWebToken. See #​2475 for details.
• Link to breaking change announcement. See [#​2478].
• Fix typo in log message. See [#​2479].

v7.3.0

Compare Source

======

New Features:

Addition of the ClientCertificates property to the HttpRequestData class enables exposure of certificate collection involved in authenticating the client against the server and unlock support of new scenarios within the SDK. See PR #​2462 for details.

Bug Fixes:

Fixed bug where x5c property is empty in JwtHeader after reading a JWT containing x5c in its header, issue #​2447, see PR #​2460 for details.
Fixed bug where JwtPayload.Claim.Value was not culture invariant #​2409. Fixed by PRs #​2453 and #​2461.
Fixed bug where Guid values in JwtPayload caused an exception, issue #​2439. Fixed by PR #​2440.

Performance Improvements:

Remove linq from BaseConfigurationComparer, improvement #​2464, for additional details see PR #​2465.

Engineering Excellence:

New benchmark tests for AsymmetricAdapter signatures. For details see PR #​2449.

v7.2.0

Compare Source

======

Performance Improvements:

Reduce allocations and transformations when creating a token #​2395.
Update Esrp Code Signing version to speed up release build #​2429.

Engineering Excellence:

Improve benchmark consistency #​2428.
Adding P50, P90 and P100 percentiles to benchmarks #​2411.
Decouple benchmark tests from test projects #​2413.
Include pack step in PR builds #​2442.

Fundamentals:

Improve logging in Wilson for failed token validation when key not found #​2436.
Remove conditional Net8.0 compilation #​2424.

v7.1.2

Compare Source

======

Security fixes:

See https://aka.ms/IdentityModel/Jan2024/zip and https://aka.ms/IdentityModel/Jan2024/jku for details.

serilog/serilog-aspnetcore (Serilog.AspNetCore)

v8.0.3

• #​383 - update Serilog.Settings.Configuration dependency (@​Numpsy)

v8.0.2

• #​376 - update Serilog.Settings.Configuration dependency to avoid transitive dependency on vulnerable System.Text.Json (@​nblumhardt)
• #​364 - fix example code (@​RandomBuffer)
• #​367 - clean up and format (@​sungam3r)
• #​370 - README updates (@​nblumhardt)

v8.0.1

• #​357 - bug fix: generate an AssemblyVersionAttribute (@​nblumhardt)

serilog/serilog-settings-configuration (Serilog.Settings.Configuration)

v8.0.4

• #​439 - update Microsoft.Extensions.DependencyModel to 8.0.2 (@​Numpsy)

v8.0.3

• #​430 - use consistent binding logic for nested objects in argument values (@​nblumhardt)
• #​432 - make string to enum conversion case-insensitive (@​0xced)
• #​413 - prefer "MinimumLevel:Default" if "MinimumLevel" is an empty string (@​DavidAllardyce)

v8.0.2

• #​428 - update Microsoft.Extensions.DependencyModel dependency to avoid vulnerable transitive dependency on System.Text.Json (@​Numpsy)
• #​427 - test project update (@​Numpsy)

v8.0.1

• #​405 - support for collections/arrays in constructor arguments (@​ChristofferGersen)
• #​403 - restore parallel test execution 😅 (@​0xced)
• #​409 - improve tests for ObjectArgumentValue (@​ChristofferGersen), reformat JSON using raw literal strings (@​0xced)
• #​412 - fix example in README.md (@​erichiller)
• #​416 - clarify location of "Serilog" configuration section in README.md (@​eleazarcelis)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

✒️ PR Title Commitlint - ✔️ Lint success!

[github-actions]

🛠️ 🐳 Build PR Container - azurekeycloaktester-container - 🏷️ Commit: ecc2190 - ⚙️ Workflow: 12258635065

harbor.ukserp.ac.uk/github-workflows-test/azurekeycloaktester:pr-193
harbor.ukserp.ac.uk/github-workflows-test/azurekeycloaktester:pr-193-ecc2190
sha256:2ef861a1e9a95d2e562b3e9656fcad2935e2728658afe9729e1800373e6bf4c4

[github-actions]

🛠️ 🐳 Build PR Container - controller-container - 🏷️ Commit: ecc2190 - ⚙️ Workflow: 12258635031

harbor.ukserp.ac.uk/github-workflows-test/controller:pr-193
harbor.ukserp.ac.uk/github-workflows-test/controller:pr-193-ecc2190
sha256:4f365b7d6c61102fe7c22f1bd0a32d3139ae7df2858235a27ff4bb937f7052d2

[github-actions]

🛠️ 🐳 Build PR Container - trino-container - 🏷️ Commit: ecc2190 - ⚙️ Workflow: 12258635031

harbor.ukserp.ac.uk/github-workflows-test/trino:pr-193
harbor.ukserp.ac.uk/github-workflows-test/trino:pr-193-ecc2190
sha256:c3874c4d2cf3381717ad5e90dbc8cb0360af9bb8336791cc9ed4ac594d9ff67a

[github-actions]

🛠️ ⚓ Build PR Chart - fizzbuzz-chart - 🏷️ Commit: ecc2190 - ⚙️ Workflow: 12258635031

harbor.ukserp.ac.uk/github-workflows-test/chart/fizzbuzz:0.0.0-pr.193
harbor.ukserp.ac.uk/github-workflows-test/chart/fizzbuzz:0.0.0-pr.193+ecc2190

[marvin-serp-bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.