HI,
I have an MVC web application using .net framework 4.8 and Okta authentication. I am using Okta.AspNet middleware, so IdentityModel is installed as part of Okta.AspNet Nuget package. Now that IdentityModel is deprecated, nuget package manager is suggesting to use Duende.IdentityModel instead. I am unable to remove IdentityModel package due to the dependency. How do I decouple it and use Duende.IdentityModel instead?
Thanks!
The issue is being tracked and prioritized by the engineering team.
opened 01:52PM - 17 Oct 24 UTC
bug
OKTA-852184
### Describe the bug?
Libraries referenced in Nuget packages are old versions w… ith know security vulnerabilities.
This results in scanning tools flagging the use of okta-aspnet as a breach in security policies.
Affected packages are:
- System.Text.Encodings.Web:4.7.2
- Okta.AspNet.Abstractions:5.1.0 ->System.IdentityModel.Tokens.Jwt:6.35.0 -> Microsoft.IdentityModel.JsonWebTokens:6.35.0 ->System.Text.Encodings.Web:4.7.2
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-41089
- System.Text.Json:8.0.4
- https://github.com/advisories/GHSA-8g4q-xg66-9fp4
### What is expected to happen?
No security issues should be raised by scanning tools
### What is the actual behavior?
Scanning tools flag the use of okta-aspnet
### Reproduction Steps?
N/A
### Additional Information?
_No response_
### .NET Version
8.0.403
### SDK Version
.NET SDK:
Version: 8.0.403
Commit: c64aa40a71
Workload version: 8.0.400-manifests.e99c892e
MSBuild version: 17.11.9+a69bbaaf5
### OS version
BuildNumber Caption OSArchitecture Version
19045 Microsoft Windows 10 Enterprise 64-bit 10.0.19045
system
April 24, 2025, 1:46pm
3
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.