Bug fixes
- Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #3785.
Behavior changes
- DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-, Proxy-, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #3793.
Dependencies updates
- Updated MSAL.NET 4.76.0 → 4.83.1
- Bump System.Security.Cryptography.Pkcs and System.Security.Cryptography.Xml to latest patched versions. See #3799.
Full Changelog: 3.14.1...3.15.0 (3.14.1...3.15.0)