1.23.1

• Fix regression and other issues related to client credentials (#986)
  • Fix for regression after latest release where certificate-based assertions were never refreshed (#984)
  • Fix/improve behavior to properly handle callback-based assertions set at the application level (#879, #977)
  • Generally improve internal assertion behavior by making assertions entirely per-request

Full Changelog: v1.23.0...v1.23.1

1.23.0

• Reduced dependency footprint by removing third-party libraries (#909):
  • Replaced org.projectlombok with direct implementations of previously generated code (#946)
  • Replaced com.nimbusds OAuth/OIDC functionality with our own implementation (#926, #927, #928, #941, #945)
  • Replaced com.fasterxml.jackson with com.azure.json for JSON parsing/serialization (#947, #948)
  • Internal behavior and public APIs remain unchanged, except for those noted below
• Minor breaking changes:
  • Removed protected APIs that returned or used com.nimbusds.ClientAuthentication
    • These APIs were not used by any other public MSAL API, and are unlikely to have been used by other libraries
  • Improved JSON error handling to return more informative MsalClientException/MsalServiceException rather than generic JSON exceptions

v1.22.0

What's Changed

• Validate issuer from OIDC endpoint when using the oidcAuthority() API by @Avery-Dunn (#970)
• Suppressed SHA-1 CodeQL flag by @Avery-Dunn in #969
• Bump com.nimbusds.oauth2-oidc-sdk from 11.23 to 11.23.1 by @Donnerbart in #974
• Add/improve javadocs for interface classes by @Avery-Dunn in #973

New Contributors

• @Donnerbart made their first contribution in #974

Full Changelog: v1.21.0...v1.22.0

1.21.0

• Add support for claims, client capabilities, and token revocation in Service Fabric scenarios (#929, #943)
• Improve retry logic for HTTP requests, and add API to disable retries (#960, #963, #964)
• Support multiple date formats in Managed identity scenarios (#956)
• Fix query parameter issue in IMDS scenarios (#954)
• Update dependencies used in tests to avoid CVE warnings (#962)

1.20.1

• Fix Base64URL decoding bug (#938)

1.20.0

• Replace some usage of jackson-databind with azure-json (#918)
• Remove Lombok code generation from most classes (#919, #925)
• Remove some usage of nimbusds-oauth2-oidc-sdk (#927, #928)
• Fix refresh metadata not being set in MI flows (#931)
• Add distinct exception type for JSON parsing errors (#933)

1.19.1

What's Changed

• CVE-2023-1370 fix by @FerencKemeny in #914

New Contributors

• @FerencKemeny made their first contribution in #914

Full Changelog: 1.19.0...v1.19.1

1.19.0

What's Changed

• Fix potential null pointer exception during cache lookup in #894
• Update plugins to be compatible with Java 17 builds in #900
• Fix regression issue in IClientCertificate caused by SHA256 changes in #898
• Add CacheRefreshReason to telemetry and metadata in #901
• Downgrade json-smart dependency due to CVE alert in #905

Full Changelog: v1.18.0...1.19.0

v1.18.0

What's Changed

• Fix Www-Authenticate not being read by @blancqua in #885
• Bump jackson-databind dependency by @Avery-Dunn in #887
• Pass optional tenant override to internal silent call by @Avery-Dunn in #886

New Contributors

• @blancqua made their first contribution in #885

v1.17.3

• Correctly set buffer for expired tokens (#875)
• Bump commons-io dependency from 2.7 to 2.14.0 (#871)