Bump System.IdentityModel.Tokens.Jwt from 5.5.0 to 6.7.1

[dependabot-preview]

Bumps System.IdentityModel.Tokens.Jwt from 5.5.0 to 6.7.1.

Release notes

Sourced from System.IdentityModel.Tokens.Jwt's releases.

6.7.0

Features

• Adjusted SignedHttpRequest logic to control optional validation of claims.
• Added Microsoft.CodeAnaylsis.FxCopAnalyzers to validate code.
• Added SecurityKey.IsSupportedAlgorithm API to check if a SecurityKey / Algorithm is supported.

Bug Fixes

• SamlSerializer fails to validate token using an XmlReader created from a XDocument.
• Null reference possible in logging when using the IDX13300 and IDX13107 log messages.
• When creating a TokenValidationResult and setting the Exception property, ensure IsValid is set to false.
• Use CultureInvariant when parsing double values.

Pull Requests click here.

Bug fixes click here.

6.6.0

Features

• OpenIdConnectConfiguration supports TokenIntrospectionEndpoint information with first class properties (#1411).
• TokenValidationParameters has user controlled validation of Algorithms and TokenType (#1413, #1385).
  • AlgorithmValidator - delegate allows users to check algorithm at runtime.
  • ValidAlgorithms - a list of algorithms that are allowed, if set will be honored.
  • TypeValidator - delegate allows users to check token type at runtime.
  • ValidTypes - a list of token types that are allowed, if set will be honored.
• Saml tokens will use SecurityTokenDescriptor.Claims when creating tokens (#1417).
• User can control if all possible keys should be tried to validate token (#1399.

Bug Fixes

• All supported asymmetric algorithms are checked for key size (delegates are now called before checking if validation should occur) (#1236).
• Null reference possible in logging (#1406)
• JwtSecuritytokenHandler does not set token on failure (#1290)
• Exceptions serialize data (#1300)

Click here for a full list of issues that were fixed in this release.

6.5.1

Simple servicing release with two fixes. AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1379

Turn off JsonHeader caching as there was no upper bound.

6.5.0

Features

• Support for the SignedHttpRequest protocol has been added (#1260). See this wiki page for more information.

Bug Fixes

• Validator delegates are now called before checking if validation should occur (#1272).
• SecurityKey.InternalId and SignatureProvider caching logic has been changed (#1346).
• JWT segment counting bug in the JsonWebToken constructor has been fixed (#1299).

Commits

• a22c4f4 revert to previous behavior where Uri.IsAbsolute only checked when not null.
• fa783a7 update to version 6.7.1
• aab47fa Set TokenValidationResult.IsValid to false if Exception is thrown.
• 3744a01 fixed spelling, extra line
• 7eb317e Issues: 453, 1419
• 8433d58 uses CultureInfo.InvariantCulture to stringify claim values
• 5560e2f Allow validation of signed http requests claims if present (#1415)
• de89a30 target lts version for test runtime (#1470)
• 0567929 Fix usage of IDX13300 and IDX13107 (#1458)
• 63f2585 Add analyzers to Tokens assembly (#1454)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)