azure-activedirectory-identitymodel-extensions-for-dotnet icon indicating copy to clipboard operation
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Feature Request] Warn when different versions of the IdentityModel NuGet packages are used

Open reduckted opened this issue 11 months ago • 8 comments

Is your feature request related to a problem? Please describe.

Related to #2506

The wiki says:

All the IdentityModel libraries must have the same version 7.0.0 in your project and including the recursive dependencies.

However, that message is hidden away in the wiki where not everyone will see it. Even if that message were to be moved into the readme file, I still do not think it's enough because not having the same version of the libraries can result in code that silently fails, as demonstrated in #2506.

Having a build-time warning would prevent this mistake from occurring.

Describe the solution you'd like

Each NuGet package for the Microsoft.IdentityModel.* and System.IdentityModel.* libraries would contain an MSBuild task that checks the version of all IdentityModel libraries that are referenced by the project. If there is more than one unique version in use, a warning will be logged.

For example, given these package references:

<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.2" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.4.0" />

A warning like this would be produced:

All of the IdentityModel libraries must have the same version in your project, including transitive dependencies. The versions in use are:
 - Microsoft.IdentityModel.Abstractions 7.4.0
 - Microsoft.IdentityModel.JsonWebTokens 7.4.0
 - Microsoft.IdentityModel.Logging 7.4.0
 - Microsoft.IdentityModel.Protocols 7.1.2
 - Microsoft.IdentityModel.Protocols.OpenIdConnect 7.1.2
 - Microsoft.IdentityModel.Tokens 7.4.0
 - System.IdentityModel.Tokens.Jwt 7.4.0

This warning explains what the problem is, and clearly identifies the versions of the transitive references, making it easy to understand what needs to be changed.

Describe alternatives you've considered

None.

Additional context

I have a working prototype for this and would be happy to contribute if this is a desired feature.

reduckted avatar Mar 02 '24 12:03 reduckted

Hello, thanks for raising this issue.

I think I got a solution working where the nuget packages would have explicit version requirements. = 7.4.0 instead of >=

Would that meet your expectations here?

Edit.

This wouldn't help until asp.net core took a package with the new version restrictions.

keegan-caruso avatar Mar 06 '24 17:03 keegan-caruso

duplicate of #1794

jennyf19 avatar Mar 28 '24 01:03 jennyf19