Azure-sdk-for-net: Microsoft.Rest.ClientRuntime.Azure.Authentication prevents updating to the latest version of Microsoft.IdentityModel.Tokens

@jsquire this is causing users issues, is there anything you can do?

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1369

We hit the same issue. Basically our auth middleware has a dependency on System.IdentityModel.Tokens.Jwt v6.5.1 which requires Microsoft.IdentityModel.Tokens 6.5.1.

It's conflicting with most of the azure SDK as they depends on Microsoft.IdentityModel.Tokens (>= 5.1.2 && < 6.0.0).

We are hesitating to downgrade the System.IdentityModel.Tokens.Jwt to v5.* as it might bring unexpected auth result.

With apologies, I'm only first-line triage in this case, helping to get things tagged so that the appropriate team is routed to. This definitely should have been picked up by now, and I regret that I don't have an answer as to why it hasn't nor a proper escalation path. I've made a few inquiries to, hopefully, find an owner.

In the meantime, if you're willing to share the specific libraries that you're using which are impacted, it would help me to pull in additional points of contact that may have more insight. To start, are these management libraries or clients for specific services?

Here is the chain of the libraries we are using

Microsoft.Azure.Management.Fluent 1.33.0 -> 

Microsoft.Azure.Management.ResourceManager.Fluent 1.33.0 -> 

Microsoft.Rest.ClientRuntime.Azure.Authentication 2.4.0 -> 

Microsoft.IdentityModel.Tokens (>= 5.1.2 && < 6.0.0)

Thank you, @fabregaszy, that's helpful.

@erich-wang: Can you help route this to the correct owner for the fluent management libraries?

//cc: @pakrym

@jsquire thanks!

@jsquire What can owner of the fluent management libraries do? It looks to me that the team responsible for Microsoft.Rest.ClientRuntime.Azure.Authentication should update their dependencies and make sure they are compatible with the latest version of Microsoft.IdentityModel.Tokens. As more and more other projects will update to Microsoft.IdentityModel.Tokens 6.x version, the number of compatibility problems will increase because of this.

@jsquire What can owner of the fluent management libraries do?

@older: I would see the first item of investigation as to whether or not the fluent libraries are up to date on their dependencies and using the most recent version of the client runtime components. It's possible that updating the fluent dependencies would help to resolve. If not, then they would begin to trace the dependency chain to understand where the authentication dependency is introduced, which may be direct or indirect, and which could potentially be the result of the runtime generator.

Regardless of where changes are necessary, there would be action required for the fluent libraries to update dependencies, perform the needed testing, and determine a plan to release an updated version. It's quite likely there will need to be coordination between multiple teams to update and schedule releases to ensure that the set of management libraries do not have incompatible dependencies that would prevent them from being used together.

That said, as I am not personally familiar with the development process used by teams in the management library space, I can only generalize. If you have specific knowledge of changes needed and feel that they are sufficiently isolated as not to impact other management libraries, please consider submitting a pull request to help kick start the process.

@jsquire you could release a new major version that uses the 6.x versions of IdentityModel that would insulate users.

That decision is not mine to make and, unfortunately, I have no insight into the process used by the teams who own the management libraries. @erich-wang would be better positioned to speak to the available options and decision making process there.

@jsquire

whether or not the fluent libraries are up to date on their dependencies and using the most recent version of the client runtime components

It doesn't matter what version is used in the fluent libraries. Even the most recent version of Microsoft.Rest.ClientRuntime.Azure.Authentication sets upper version limit for Microsoft.IdentityModel.Tokens

Problem is that any project which references both Microsoft.Rest.ClientRuntime.Azure.Authentication and Microsoft.IdentityModel.Tokens cannot update to any version of Microsoft.IdentityModel.Tokens higher than 5.x because of this upper range limit in Microsoft.Rest.ClientRuntime.Azure.Authentication

@older: Yes, there is truth to that. Updating Fluent alone does not solve the root cause in the case where the Runtime Authentication library has not yet updated its dependency. It was not my intent to imply that it would.

To get this moving forward, we have to start somewhere. Lacking a point of contact for the Runtime Auth library, it is my hope that pulling in the folks from one of the libraries impacted (fluent, in this case) may help to raise awareness and get traction. Best case, because those folks are working in the space and have this dependency, they'll be able to help pull in the correct people to address the root. Worst case, it calls attention within the management space and lets teams start evaluating whether or not they will need a new package release when the root cause is fixed.

To be clear - there are still internally-focused efforts under way to escalate and find the correct owner for this issue within the scope of the Runtime Authentication library. As those are taking time to resolve, in my view, attempting to take some action here that may or may not prove helpful is better than doing nothing and waiting on email threads.

https://www.nuget.org/packages/Microsoft.Rest.ClientRuntime.Azure.Authentication/2.4.1 is out with relaxed version ranges.