Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Latest M.IM.Tokens package causes a downgrade error for CoreWCF #3112

Closed
1 of 14 tasks
mconnew opened this issue Jan 31, 2025 · 4 comments · Fixed by #3143
Closed
1 of 14 tasks

[Bug] Latest M.IM.Tokens package causes a downgrade error for CoreWCF #3112

mconnew opened this issue Jan 31, 2025 · 4 comments · Fixed by #3143
Assignees
@jmprieur
Labels
Dependency Mismatch Transitive dependency might be at play and create issues resulting in incorrect versions of a class P1 More important, prioritize highly Regression
Milestone
8.6.0

Comments

@mconnew
Copy link

mconnew commented Jan 31, 2025
edited
Loading

Which version of Microsoft.IdentityModel are you using?
8.3.1

Where is the issue?

  • M.IM.JsonWebTokens
  • M.IM.KeyVaultExtensions
  • M.IM.Logging
  • M.IM.ManagedKeyVaultSecurityKey
  • M.IM.Protocols
  • M.IM.Protocols.OpenIdConnect
  • M.IM.Protocols.SignedHttpRequest
  • M.IM.Protocols.WsFederation
  • M.IM.TestExtensions
  • M.IM.Tokens
  • M.IM.Tokens.Saml
  • M.IM.Validators
  • M.IM.Xml
  • S.IM.Tokens.Jwt
  • Other (please describe)

Is this a new or an existing app?

This is an existing library that I attempted to upgrade to a new version of M.IM.Tokens

Repro
Create a library that targets netstandard2.0. Add the following dependencies to that library:

  • Microsoft.IdentityModel.Protocols.WsFederation 8.3.0
  • Microsoft.IdentityModel.Tokens 8.3.0
  • Microsoft.IdentityModel.Tokens.Saml 8.3.0
  • Microsoft.Extensions.Primitives 8.0.0
  • Microsoft.Extensions.Logging.Abstractions 8.0.2
  • Microsoft.Extensions.Logging 8.0.1

The library is using central package management and has transitive pinning enabled.
Create a second application project which targets net9.0 that depends on the library. Run dotnet restore on the application project.
[Edit] I think I meant 8.3.1 above as 8.3.0 works fine.

Expected behavior
Packages will be restored

Actual behavior
Package restore fails with the following error message:
Warning As Error: Detected package downgrade: Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2. Reference the package directly from the project to select a different version.

Possible solution
Remove Microsoft.Extensions.Logging.Abstractions dependency from M.IM.Tokens. The 8.3.0 version of the package didn't have this dependency.

Additional context / logs / screenshots / links to code
There might be an existing issue for this, but I'm confused about what's written in it and the timeline so I'm not sure. Issue #3061 says this problem exists in 8.3.1, but the issue was opened before 8.3.1 was released. Additionally PR #3062 claims to fix issue #3061, and was created after the issue, but is actually the PR which introduced the problem.

Full repro can be found here: https://github.com/mconnew/IssueRepros/tree/main/IdentityModelRepro
@mconnew mconnew mentioned this issue Jan 31, 2025
Merged
@jennyf19 jennyf19 added Regression Dependency Mismatch Transitive dependency might be at play and create issues resulting in incorrect versions of a class P2 High, but not urgent. Needs to be addressed within the next couple of sprints and removed needs attention untriaged labels Feb 1, 2025
@jennyf19
Copy link
Collaborator

jennyf19 commented Feb 4, 2025

The team discussed this, might be related to #2817 and we might need to rework the Base64Url work a bit.

@mconnew
Copy link
Author

mconnew commented Feb 11, 2025

We had to release referencing the 8.3.0 version of the package. While this issue is unresolved, there's an added risk where any security patches won't be able to be consumed as nothing can be upgraded past 8.3.0 without breaking a lot of people.

@mconnew
Copy link
Author

mconnew commented Feb 21, 2025

I created a repro and updated the description pointing to it. Repro can be found here: https://github.com/mconnew/IssueRepros/tree/main/IdentityModelRepro

@jmprieur jmprieur self-assigned this Feb 21, 2025
@jmprieur jmprieur added P1 More important, prioritize highly and removed P2 High, but not urgent. Needs to be addressed within the next couple of sprints labels Feb 21, 2025
@jmprieur
Copy link
Contributor

P1 as blocking CoreWcf

jmprieur added a commit that referenced this issue Feb 21, 2025
@jmprieur
Fix #3112
Loading
Loading status checks…
5f66737
@jmprieur jmprieur mentioned this issue Feb 21, 2025
Merged
brentschmaltz pushed a commit that referenced this issue Feb 22, 2025
@jmprieur
Fix #3112 (#3143)
Loading
Loading status checks…
967be7d
@pmaytak pmaytak added this to the 8.6.0 milestone Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmprieur jmprieur

Labels
Dependency Mismatch Transitive dependency might be at play and create issues resulting in incorrect versions of a class P1 More important, prioritize highly Regression
Projects
None yet
Milestone
8.6.0
Development

Successfully merging a pull request may close this issue.

Fix #3112 AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
4 participants
@mconnew @jmprieur @jennyf19 @pmaytak