Bug Fixes

• Update JwtSecurityTokenHandler for IssuerSigningKeyResolverUsingConfiguration to take priority over IssuerSigningKeyResolver, matching the documented contract and the correct behavior already present in JsonWebTokenHandler. See PR #3519.
• Improve validation of jku claim. See PR #3480.

Dependency Updates

• Update System.Text.Json to 8.0.5 on all target frameworks except .NET 461. See PR #3499.

Bug Fixes

• Update JwtSecurityTokenHandler for IssuerSigningKeyResolverUsingConfiguration to take priority over IssuerSigningKeyResolver, matching the documented contract and the correct behavior already present in JsonWebTokenHandler. See PR #3519.

New Features

• Add ML-DSA (FIPS 204) post-quantum signature support. See PR #3479.
• Cache custom crypto providers in CryptoProviderFactory. See PR #3489.

Bug Fixes

• Disable automatic redirects on default HttpClient for JKU retrieval. See PR #3494.
• Adjust rented buffer handling in claim set parsing. See PR #3493.
• Tidy null handling in SAML conditions validation. See PR #3491.
• Improve validation of jku claim. See PR #3481.
• Limit telemetry algorithm dimension cardinality. See PR #3490.
• Add defensive copy of collections in ValidationParameters. See PR #3492.
• Update TokenValidationParameter copy constructor to make a deep copy. See PR #3488.
• Update to fail-closed when replay protection isn't configured and other DPoP hardening. See PR #3505.
• Apply RFC 3986 section 6.2.2 normalization to DPoP htu comparison. See PR #3509.

New Features

• Introduced a new interface IConfigurationEventHandlerContextAware<T> that provides context to the configuration event handler implementation, allowing it to optionally bypass a cache lookup. See PR #3444.
• Added Microsoft.IdentityModel.Dpop — a new package implementing DPoP (Demonstrating Proof-of-Possession) per RFC 9449. Provides both client-side and server-side proof validation with no System.Net.Http dependency. See PR #3443.

Dependencies

• Downgrade MicrosoftExtensionsLoggingAbstractionsVersion to 8.0.0 on .NET 10. See PR #3435.

New Features

• Add telemetry around signature validation. See PR #3415 for details.

Fundamentals

• Fix FileVersion format to use two-digit year and day of year. See PR #3389 for details.

New Features

• Add ECDsa support in X509SecurityKey and JsonWebKeyConverter.ConvertFromX509SecurityKey
  Extended X509SecurityKey and JsonWebKeyConverter.ConvertFromX509SecurityKey to support ECDSA keys.
  See PR #2377 for details.

Bug Fixes

• Sanitize logs to avoid leaking sensitive data
  Updated logging to sanitize sensitive values, reducing the risk of inadvertently exposing secrets or PII in logs.
  See PR #3316 for details.
• Optimize log sanitization with SearchValues
  Improved the performance of the log sanitization logic introduced earlier by using SearchValues, making sanitization more efficient in high-throughput scenarios.
  See PR #3341 for details.
• Update test for IDX10400
  Adjusted the IDX10400 test to align with the current behavior and error messaging.
  See PR #3314 for details.

Fundamentals

• Add supported algorithm tests
  Added new tests to validate the set of supported cryptographic algorithms, increasing confidence in algorithm coverage and compatibility.
  See PR #3296 for details.
• Migrate repository agent rules from .clinerules to agents.md
  Moved repository agent/AI-assist rules into markdown documentation to make them more visible and easier to maintain.
  See PR #3313 for details.
• Migrate Microsoft.IdentityModel.TestExtensions from Newtonsoft.Json to System.Text.Json
  Updated Microsoft.IdentityModel.TestExtensions to use System.Text.Json instead of Newtonsoft.Json, aligning tests with the runtime serialization stack.
  See PR #3356 for details.
• Disable code coverage comments
  Turned off automated code coverage comments on PRs to reduce noise while retaining coverage data elsewhere.
  See PR #3349 for details.
• Fix CodeQL alerts
  Addressed CodeQL-reported issues to improve security posture and static analysis cleanliness.
  See PR #3364 for details.

.NET 10 / SDK and tooling updates

• Building with .NET 10 preview / RC 1
  Updated the repository to build and test against .NET 10.0 preview/RC1, ensuring early compatibility with the upcoming runtime.
  See PRs #3287, #3357, and #3358 for details.
• Fix .NET 10 test execution consistency
  Ensured consistent use of the TargetNetNext parameter across build, test, and pack phases so .NET 10.0 tests execute reliably.
  See PR #3337 for details.
• Update project files and workflows for .NET 10.0 compatibility
  Adjusted project files and CI workflows to correctly target and run on .NET 10.0, including test and pack scenarios.
  See PR #3363 for details.
• Update .NET version to meet CG compliance
  Updated the .NET version references to be compliant with corporate governance (CG) requirements.
  See PR #3353 for details.
• Update Coverlet collector and test SDK
  • Bumped CoverletCollectorVersion to 6.0.4.
    See PR #3333 for details.
  • Upgraded Microsoft.NET.Test.Sdk to a newer version for improved test reliability and tooling support.
    See PR #3336 for details.
• Update runTests.ps1 to specify dotnet directory
  Updated runTests.ps1 to accept an explicit dotnet directory, improving test execution robustness in environments with multiple SDK installations.
  See PR #3368 for details.
• Adjust dotnetcore workflow targeting for .NET 10 SDK
  Iterated on the CI workflow configuration to correctly target the .NET 10 SDK:
  • Temporarily removed targeting of the .NET 10 SDK in dotnetcore.yml.
    See PR #3335.
  • Reverted that change to restore .NET 10 SDK targeting.
    See PR #3339 for details.

Documentation

• Update support policy documentation
  Refreshed supportPolicy.md to reflect the latest support policy for IdentityModel.
  See PR #3367 for details.

8.14.0

Bug Fixes

• Switch back to use ValidationResult instead of OperationResult when validating a token in a new experimental validation flow. Additionally removed the dependency on Microsoft.IdentityModel.Abstractions. See #3299 for details.

8.13.1

Dependencies

Microsoft.IdentityModel now depends on Microsoft.Identity.Abstractions 9.3.0

Bug Fixes

• Fixed a decompression failure happening for large JWE payloads. See #3286 for details.

Work related to redesign of IdentityModel's token validation logic #2711

• Update the validation methods to return Microsoft.Identity.Abstractions.OperationResult. See #3284 for details.

8.13.0

8.13.0

Fundamentals

• CaseSensitiveClaimsIdentity.SecurityToken setter is now protected internal (was internal). See PR #3278 for details.
• Update .NET SDK version to 9.0.108 used when building or running the code. See PR #3274 for details.
• Update RsaSecurityKey.cs to replace the Pkcs1 padding by Pss from HasPrivateKey check. See #3280 for details.

What's Changed

• Make CaseSensitiveClaimsIdentity.SecurityToken setter protected by @keegan-caruso in #3278
• Update .NET SDK version in global.json from 9.0.107 to 9.0.108 by @Copilot in #3274
• Update RsaSecurityKey.cs to remove Pkcs 1 by @keegan-caruso in #3280
• changelog for 8.13 by @jennyf19 in #3282

New Contributors

• @Copilot made their first contribution in #3274

Full Changelog: 8.12.1...8.13.0