Okta SDK.NET 8.1.5 Triggers a transient dependency breaking issue

[rcollette]

Describe the bug?

This is not a bug per-se, but existing applications can experience a breaking change to their application behavior, due to a mismatch in dependency versions needed by Microsoft.AspNetCore.Authentication.JwtBearer

I have documented the issue further in
dotnet/aspnetcore#57940

The normal list of dependencies for Microsoft.AspNetCore.Authentication.JwtBearer are shown here

When importing just the two updated versions of packages that were included with the 8.1.5 release, there is now a mismatch between the cooperating packages

To fix two additional packages must be referenced in the project.

    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.2" />

What is expected to happen?

Documentation of this library may want to call out, at least on a temporary basis, the need to import additional dependencies to ensure JWTBearer token authentication does not break, if being used.

What is the actual behavior?

JWTBearer authentication fails at runtime with

IDX10500: Signature validation failed. No security keys were provided to validate the signature

Reproduction Steps?

The description is sufficient since there isn't an actual bug in the SDK code.

Additional Information?

No response

.NET Version

8.0.401

SDK Version

8.1.5

OS version

No response

[bryanapellanes-okta]

@rcollette Thanks for bringing this to our attention. I've entered an internal issue for tracking and prioritization: OKTA-812145

[rcollette]

Related to previous issue #736

[NoahStolk]

This is not the first time this has happened. I reported the same issue for 7.0.4 as well: #692 & #690

This is the issue: https://github.com/okta/okta-sdk-dotnet/pull/744/files#diff-697ea5e447b22623a833c3c071533ce619c00014b2d0362b1496ffa2df3787f1

This is a breaking change which goes against Okta's own versioning policy. This page is listed in the README.

We:
Increase the patch version for bug fixes, security fixes, and code documentation. Backwards compatible and no breaking changes.
Increase the minor version for new features and additions to the library's interface. Backwards compatible and no breaking changes.
Increase the major version for breaking changes to the library's interface or breaking changes to behavior.

Why couldn't this be released as v9? Please revert this change and release it as 8.1.6. We will be banning version 8.1.5 as it breaks all of our applications.

[chekm8]

I just ran into this issue today, I have an .Net 8 project referencing the Okta.AspNetCore package and I was able to consume access_token's fine. I added a reference to the latest Okta.Sdk (v9.0.0) and immediately started to get a invalid_token, "The signature key was not found" error. I didn't even implement any code to consume the SDK yet.

Added a direct reference to the following packages resolved the issue:

<PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.2.0" />
<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.2.0" />