Skip to content

Bump Microsoft.Identity.Web.DownstreamApi from 4.11.0 to 4.12.2#27

Merged
maxstue merged 1 commit into
mainfrom
dependabot/nuget/apps/api/Microsoft.Identity.Web.DownstreamApi-4.12.2
Jul 7, 2026
Merged

Bump Microsoft.Identity.Web.DownstreamApi from 4.11.0 to 4.12.2#27
maxstue merged 1 commit into
mainfrom
dependabot/nuget/apps/api/Microsoft.Identity.Web.DownstreamApi-4.12.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Updated Microsoft.Identity.Web.DownstreamApi from 4.11.0 to 4.12.2.

Release notes

Sourced from Microsoft.Identity.Web.DownstreamApi's releases.

4.12.2

Bug fixes

  • Make the Microsoft.Identity.Client.KeyAttestation dependency conditional on modern .NET (.NETCoreApp) targets. It transitively pulls the native-only Microsoft.Azure.Security.KeyGuardAttestation package, which ships no .NET Framework/netstandard-compatible assets and broke NuGet restore for .NET Framework (packages.config) projects. Microsoft.Identity.Web.Certificateless now multi-targets, and .NET Framework consumers use the netstandard2.0 asset without this dependency. See #​3894.

4.12.1

Bug fixes

  • Preserve ManagedIdentity when converting AcquireTokenOptions to TokenAcquisitionOptions in TokenAcquirer. Previously the ITokenAcquirer.GetTokenForAppAsync / GetTokenForUserAsync paths silently dropped ManagedIdentity and fell back to the confidential-client path, breaking managed-identity mTLS PoP (e.g. MISE Native). See #​3914.

Behavior changes

  • Sidecar: outbound HTTP redirects suppressed by default. The sidecar no longer follows outbound HTTP redirects; a new opt-in Sidecar:AllowOutboundRedirects flag (default false) restores the previous behavior. See #​3906.
  • Sidecar: per-request isolation of downstream API options. Downstream API options resolved from the singleton IOptionsMonitor are now cloned per request (including fresh ExtraParameters / ExtraHeaderParameters / ExtraQueryParameters dictionaries), preventing request-scoped values from leaking across requests or racing under concurrency. See #​3919.

Fundamentals

  • Build the solution in the PR pipeline before running tests. See #​3911.
  • Restore OWIN 5.7.1 packages from the internal IDDP feed in the PR pipeline. See #​3912.
  • Run the PR pipeline on the Wilson pool so integration/E2E tests can access the lab KeyVault. See #​3913.

4.12.0

New features

  • Implement IAuthorizationHeaderProvider2 (from Microsoft.Identity.Abstractions 12.3.0) on DefaultAuthorizationHeaderProvider and the public BaseAuthorizationHeaderProvider, exposing the metadata-rich CreateAuthorizationHeaderInformation* surface (returning OperationResult<AuthorizationHeaderInformation, AuthorizationHeaderError>) with binding-certificate propagation. DownstreamApi and MicrosoftIdentityMessageHandler now prefer IAuthorizationHeaderProvider2 for mTLS PoP and soft-deprecate the bound-only IBoundAuthorizationHeaderProvider path (kept as a fallback for source/binary compatibility). See #​3899.
  • Populate TokenAcquisitionMetadata.ExpiresOn on AcquireTokenResult from the MSAL AuthenticationResult.ExpiresOn value. See #​3905.

Bug fixes

  • Finalize the DownstreamApi request (headers, query parameters, content, and customizations) before creating the authorization header, adding Authorization only after signing so request-binding providers do not include it in their signed material. See #​3902.

Dependencies updates

  • Update Microsoft.Identity.Abstractions to 12.4.0. See #​3899, #​3905.
  • Update MSAL.NET (Microsoft.Identity.Client / Microsoft.Identity.Client.KeyAttestation) to 4.85.2. See #​3896.
  • Update Microsoft.IdentityModel.Protocols.WsFederation (Microsoft.Identity.Web.OWIN) to 5.7.1. See #​3900.

Commits viewable in compare view.

@dependabot dependabot Bot requested a review from maxstue as a code owner July 4, 2026 12:25
@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Jul 4, 2026
---
updated-dependencies:
- dependency-name: Microsoft.Identity.Web.DownstreamApi
  dependency-version: 4.12.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/nuget/apps/api/Microsoft.Identity.Web.DownstreamApi-4.12.2 branch from d7ffa3c to fd68d5d Compare July 6, 2026 20:37
@maxstue maxstue merged commit e9faa82 into main Jul 7, 2026
9 checks passed
@maxstue maxstue deleted the dependabot/nuget/apps/api/Microsoft.Identity.Web.DownstreamApi-4.12.2 branch July 7, 2026 06:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant