build(deps): bump Microsoft.Identity.Web from 2.7.0 to 2.15.5 in /src/service

[dependabot]

Bumps Microsoft.Identity.Web from 2.7.0 to 2.15.5.

Release notes

Sourced from Microsoft.Identity.Web's releases.

2.15.5

• Update to .NET 8 GA
• Update to Microsoft.Graph 5.34.0

Bug Fixes

• Fixes an issue where users were not able to override ICredentialsLoader. See #2564 for details.
• The latest patch version is no longer used in dependencies, as it made builds non-deterministic. See #2569 for details.
• Removed dependencies that were no longer needed. See #2577 for details.
• Fixes an issue where the build did not look up project names as package dependencies. See #2579 for more details.

Fundamentals

• Enable baseline package validation, see #2572 for details.
• Improve trimmability on .NET 8, see #2574 for details.

2.15.3

• Update Azure.Identity library to 1.10.2 for CVE-2023-36414.

Bug Fixes:

• Microsoft.Identity.Web honors the user-provided value for the cache expiry for in-memory cache. See #2466 for details.

2.15.2

• For the .NET 8 rc2 target framework, the IdentityModel dependencies have been updated to Identity.Model.*.7.0.3.

Bug Fixes

• Fixes a regression introduced in 2.15.0 where the OnTokenValidated delegates were no longer chained with an await. See issue#2513.

2.15.1

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

New features

• TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480

Experimental API

(to get feedback, could change without bumping-up the major version)

• It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496

Bug Fixes

• Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
• In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
• Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394

2.13.4

• Update to IdentityModel 7.0.0-preview5 on .NET 8 and IdentityModel 6.32.3 for the other target frameworks.
• Update to MSAL 4.56.0, which now enables the cache synchronization by default

... (truncated)

Changelog

Sourced from Microsoft.Identity.Web's changelog.

2.15.5

• Update to .NET 8 GA
• Update to Microsoft.Graph 5.34.0

Bug Fixes

• Fixes an issue where users were not able to override ICredentialsLoader. See #2564 for details.
• The latest patch version is no longer used in dependencies, as it made builds non-deterministic. See #2569 for details.
• Removed dependencies that were no longer needed. See #2577 for details.
• Fixes an issue where the build did not look up project names as package dependencies. See #2579 for more details.

Fundamentals

• Enable baseline package validation, see #2572 for details.
• Improve trimmability on .NET 8, see #2574 for details.

2.15.3

• Update Azure.Identity library to 1.10.2 for CVE-2023-36414.

Bug Fixes:

• Microsoft.Identity.Web honors the user-provided value for the cache expiry for in-memory cache. See #2466 for details.

2.15.2

• For the .NET 8 rc2 target framework, the IdentityModel dependencies have been updated to Identity.Model.*.7.0.3.

Bug Fixes

• Fixes a regression introduced in 2.15.0 where the OnTokenValidated delegates were no longer chained with an await. See issue#2513.

2.15.1

• Updated IdentityModel dependencies to Identity.Model.*.6.33.0 for all target frameworks other than .NET 8 rc1, for which Microsoft,Identity.Web leverages Identity.Model 7.0.2

2.15.0

New features

• TokenAcquirerFactory now adds support for reading the configuration from environment variables. See issue #2480

Experimental API

(to get feedback, could change without bumping-up the major version)

• It's now possible for an application to observe the client certificate selected by Token acquirer from the ClientCredentials properties, and when the certicate is un-selected (because it's rejected by the Identity Provider, as expired, or revoked). See Observing client certificates. PR #2496

Bug Fixes

• Fixes a resiliency issue where the client certificate rotation wasn't always happening (from KeyKeyVault, or certificate store with same distinguished name). See #2496 for details.
• In the override of AddMicrosoftIdentityWebApp taking a delegate, the delegate is now called only once (it was called twice causing the TokenValidated event to be called twice as well). Fixes #2328
• Fixes a regression introduced in 2.13.3, causing the configuration to not be read, when using an app builder other than the WindowsAppBuilder with AddMicroosftIdentityWebApp/Api, unless you provided an empty authentication scheme when acquiring a token. Fixes #2460, #2410, #2394

2.14.0

... (truncated)

Commits

• 9350195 update changelog for 2.15.4 (#2590)
• 9427efe make updates for .NET 8 (#2594)
• bbaa188 Only use IM7 transitive deps for net8+ (#2593)
• 59d033e Making msidentity-app-sync work cross-platform (#2591)
• a01967a clean-up and fix failing tests for net8 (#2589)
• efd1dec Kellyyangsong/net8 ga (#2584)
• 0fb9929 update to .net8 GA (#2583)
• 665645c fix appsync tool version (#2580)
• 9fa0c90 Investigate removing no longer necessary dependencies while investigating #2...
• 495970e Jennyf/cross plat validator (#2491)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)