Update dependency Tenduke.Core to v8 - autoclosed
This MR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| Tenduke.Core |
6.0.0 -> 8.1.0
|
 |
|
Release Notes
10Duke/core/dotnet-core (Tenduke.Core)
v8.1.0
Summary
The IJwksStore used by the authorization builder is now exposed via an interface so that the
ApiClientBuilder can access it and use it for the API client where appropriate.
Further updates have been made to improve the reliability of the tests of the logout callback
functionality.
New features
Make IJwksStore in authorization builder public
The IJwksStore used by the authorization builder (for the JSON Web Keys used to verify ID Tokens
from an OpenID Provider) is now exposed as a public property of the authorization builder, via the
IOpenIdJwksStore interface.
This is to allow the ApiClientBuilder to access it. For some subclasses of the ApiClientBuilder
it is desirable for the JWKS Store to be shared between the authorization client and the licensing
client (for example, for 10Duke Enterprise where the JSON Web Keyset is the same for both APIs).
Updates
Improve reliability of logout callback tests on Windows
The logout callback tests have been intermittently failing on Windows (and less often on macOS) when the CI pipeline runs. Steps have been taken to debug these failures and improve the reliability of these tests. The main changes are:
- avoid making HTTP requests to ports that are expected to have been closed in the test (due to cancellation or timeout)
- do not run the tests in parallel
- increase request timeouts for specific tests
v8.0.0
Summary
Makes the IAccessTokenRepository and IAccessTokenStore disposable.
Adds a file system based access token store and data protection services for access tokens and license
tokens. Data protection uses operating system specific mechanisms to ensure that tokens stored on the
file system remain confidential. Use of the data protection services is optional and requires the
SDK to be configured to use them.
Breaking changes
Add IDisposable to IAccessTokenRepository and IAccessTokenStore interfaces
Some implementations of the IAccessTokenStore may need to free managed and unmanaged resources
before they go out of scope.
This in turn means that the IAccessTokenRepository also needs to be disposable as it contains a
member of type IAccessTokenStore.
Migration required:
- Custom implementations of
IAccessTokenStoreshould implement the disposable pattern - The access token repository should be disposed of at application exit (it is a singleton) - disposing of the relevant API client will also dispose of the repository
New Features
Data protection service for access and license tokens
Three new interfaces added: IDataProtector, IAccessTokenProtector, and ILicenseTokenProtector.
Services implementing these interfaces are provided for Windows, macOS, and Linux.
Operating system specific methods are used to provide a protection mechanism that is specific to the
current operating system user.
File system based access token store
An IAccessTokenStore implementation that stores access tokens on the local file system is provided.
This can be configured during initialization of the SDK. It provides a simple, convenient mechanism
to store credentials between application sessions and reduce the need for the end user to complete
login with the Authorization Server (typically via a browser).
The service can be configured to use the default implementation of IAccessTokenProtector (which is
selected by operating system at runtime) to maintain confidentiality of the access tokens stored on
the file system.
For non-confidential applications, using Authorization Grant or Device Flow to authenticate users, it
is advised that any access tokens stored on the file system are stored using data protection (either
that provided by the SDK or implemented by the application).
Updates
Improvements to tests and logging from tests
Improve asynchronous processing in tests of login and logout callbacks from the Authorization Server. Catch logging errors from XUnit where the test execution has ended before the callback completes.
v7.1.0
Summary
Updates to the JSON Web Token and JSON Web Key Set handling. This will reduce the number of times the JSON Web Key Set for a particular API or service is retrieved via HTTP. This is achieved by introducing the option to cache the result either for the lifetime of the application session or (via external/custom implementations) persist the JSON Web Key Set results to storage of the application developer's choosing.
New Features
IJwksStore and IJwksProvider interfaces provide options for caching JSON Web Key Set results
The JwtReader class, which is used to parse and validate JSON Web Tokens both from OpenID Providers
and from the 10Duke licensing APIs, can now be initialized with an implementation of the new interface
IJwksStore. The store will be used to cache the results of calling the JSON Web Key Set to retrieve
public keys to verify the authenticity and integrity of the JSON Web Tokens.
A default implementation of the IJwksStore is configured for use with OpenID Providers. This default
implementation stores the results in memory, reducing the number of times each instance of the application
or each application session needs to call the JSON Web Key Set endpoint.
Updates
Dependency updates
- Update dotnet-azure-ad-identitymodel-extensions monorepo to 8.14.0
Test dependency updates
- Update dependency csharpier to 1.1.2
- Update dependency xunit.runner.visualstudio to 3.1.4
v7.0.0
Summary
Version 7.0.0 updates a number of project dependencies, which includes dropping support for .NET Framework 4.7.1. .NET 8, .NET Framework 4.7.2 (and therefore .NET Framework 4.7.x), and .NET Standard 2.0 continue to be supported.
Additionally, protection against OS command injection has been extended for the interactions with the system default browser during OAuth/Open ID login and logout.
Breaking changes
Support for .NET Framework 4.7.1 removed
Due to changes in the tools used to develop and build the library, support for .NET Framework 4.7.1 can no longer be maintained.
.NET Framework 4.7.2 remains a target for the assembly which maintains support for .NET Framework 4.7.2 and 4.8.x. .NET Standard 2.0 is also maintained as a target for the assembly.
Updates
Improve protection against OS command injection when opening system default browser
When executing operating system processes, it is important to guard against OS command injection.
Where the library opens the system default browser to initiate login or logout, part of the URL is provided from the configuration (loaded from the sources chosen by the application). This could include data that has been modified by the user of the application or an attacker.
To improve protection against OS command injection, via this configuration data, the library now checks that the URL is an absolute URL and applies an allow-list of characters to filter out common OS meta-characters that are not expected to occur in the generated URLs for login and logout.
Dependency updates
- Update dependency YamlDotNet to 16.3.0
- Update dotnet-azure-ad-identitymodel-extensions monorepo to 8.13.1
- Update dependency JUnitXml.TestLogger to v6
- Update dotnet monorepo to 9.0.8
Test dependency updates
- Update dependency xunit.runner.visualstudio to v3
- Update dependency csharpier to v1
- Update dependency sonaranalyzer.csharp to v10
- Update dependency jwt to v11
- Update dependency coverlet.collector to 6.0.4
- Update dependency docfx to 2.78.3
- Update dependency dotnet-reportgenerator-globaltool to 5.4.12
- Update dependency xunit to 2.9.3
- Update dependency dotnet-stryker to 4.8.0
- Update dependency Microsoft.NET.Test.Sdk to 17.14.1
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.