Upgrade dependency versions and fix failing tests

.github/dependabot.yml

@@ -31,15 +31,6 @@ updates:
     labels:
       - "dependencies"
       - "npm"
-    # Only security updates for npm since they're dev dependencies
-    # for build scripts and not critical for library functionality
-    allow:
-      - dependency-type: "direct"
-        update-type: "version-update:semver-patch"
-      - dependency-type: "direct"
-        update-type: "version-update:semver-minor"
-      - dependency-type: "indirect"
-        update-type: "security-update"
 
   - package-ecosystem: "github-actions"
     directory: "/"

src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj

@@ -6,10 +6,11 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.0.*" Condition="'$(TargetFramework)' == 'net6.0'" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.*" Condition="'$(TargetFramework)' == 'net6.0'" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="7.0.*" Condition="'$(TargetFramework)' == 'net7.0'" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.*" Condition="'$(TargetFramework)' == 'net8.0'" />
-    <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.12.1" />
+
+    <PackageReference Include="System.Text.Encodings.Web" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup>

src/Auth0.AspNetCore.Authentication/PushedAuthorizationRequest/PushedAuthorizationRequestHandler.cs

@@ -24,11 +24,20 @@
         var oidcConfiguration =
             await oidcOptions.ConfigurationManager?.GetConfigurationAsync(default)!;
 
-        object? rawParEndpoint = string.Empty;
-        oidcConfiguration?.AdditionalData.TryGetValue("pushed_authorization_request_endpoint", out rawParEndpoint);
-        string? parEndpoint = rawParEndpoint as string;
+        // Trying to get the PAR endpoint from the property first, fallback to AdditionalData for older configs.
+        string? parEndpoint = null;
+        if (oidcConfiguration != null)
+        {
+            parEndpoint = oidcConfiguration?.PushedAuthorizationRequestEndpoint;
+            if (string.IsNullOrEmpty(parEndpoint))
+            {
+                object? rawParEndpoint = string.Empty;
+                oidcConfiguration.AdditionalData?.TryGetValue("pushed_authorization_request_endpoint", out rawParEndpoint);
+                parEndpoint = rawParEndpoint as string;
+            }
+        }
 
-        // If PAR was enabled in the options, but no `pushed_authorization_request_endpoint` value is find
+        // If PAR was enabled in the options, but no `pushed_authorization_request_endpoint` value is found
         // in the OIDC configuration, we will throw an error.
         if (string.IsNullOrEmpty(parEndpoint))
         {

tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0.AspNetCore.Authentication.IntegrationTests.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net6.0</TargetFrameworks>
+    <TargetFramework>net8.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>
@@ -24,18 +24,17 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="FluentAssertions" Version="5.10.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="6.0.*" Condition="'$(TargetFramework)' == 'net6.0'" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.ViewFeatures" Version="2.2.0" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4" />
-    <PackageReference Include="Microsoft.AspNetCore.TestHost" Version="6.0.*" Condition="'$(TargetFramework)' == 'net6.0'" />
-    <PackageReference Include="Moq" Version="4.16.1" />
-    <PackageReference Include="xunit" Version="2.4.2" />
+    <PackageReference Include="FluentAssertions" Version="8.5.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.*" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.ViewFeatures" Version="2.3.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4" />    
+    <PackageReference Include="Moq" Version="4.20.72" />
+    <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="3.0.3">
+    <PackageReference Include="coverlet.collector" Version="6.0.*">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>

tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0MiddlewareTests.cs

@@ -19,6 +19,7 @@
 using System.Security.Cryptography;
 using System.Linq;
 using Auth0.AspNetCore.Authentication.Exceptions;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 
 namespace Auth0.AspNetCore.Authentication.IntegrationTests
@@ -951,12 +952,13 @@ public async Task Should_Throw_When_Organization_Provided_But_Claim_Missing()
 
                     var innerException = act
                         .Should()
-                        .Throw<Exception>()
+                        .ThrowAsync<Exception>()
+                        .Result
                         .And.InnerException;
 
                     innerException
                         .Should()
-                        .BeOfType<Exception>()
+                        .BeOfType<AuthenticationFailureException>()
                         .Which.Message.Should().Be("Organization claim (org_id) must be a string present in the ID token.");
                 }
             }
@@ -1007,12 +1009,13 @@ public async Task Should_Throw_When_Organization_Provided_But_Claim_Mismatch()
 
                     var innerException = act
                         .Should()
-                        .Throw<Exception>()
+                        .ThrowAsync<Exception>()
+                        .Result
                         .And.InnerException;
 
                     innerException
                         .Should()
-                        .BeOfType<Exception>()
+                        .BeOfType<AuthenticationFailureException>()
                         .Which.Message.Should().Be("Organization claim (org_id) mismatch in the ID token; expected \"org_123\", found \"org_456\".");
                 }
             }
@@ -1070,12 +1073,13 @@ public async Task Should_Allow_Custom_Token_Validation()
 
                     var innerException = act
                         .Should()
-                        .Throw<Exception>()
+                        .ThrowAsync<Exception>()
+                        .Result
                         .And.InnerException;
 
                     innerException
                         .Should()
-                        .BeOfType<Exception>()
+                        .BeOfType<AuthenticationFailureException>()
                         .Which.Message.Should().Be("Triggered Custom Validation.");
                 }
             }

tests/Auth0.AspNetCore.Authentication.IntegrationTests/BackchannelLogoutTests.cs

@@ -38,7 +38,7 @@ public async Task Should_Return_405_If_Not_Post()
         using var client = server.CreateClient();
         var res = await client.SendAsync($"{TestServerBuilder.Host}/backchannel-logout");
 
-        res.StatusCode.Should().Be(405);
+        res.StatusCode.Should().Be((HttpStatusCode)405);
     }
 
     [Fact]
@@ -67,7 +67,7 @@ public async Task Should_return_400_when_not_form_urlencoded()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Be("Only application/x-www-form-urlencoded is allowed.");
     }
 
@@ -99,7 +99,7 @@ public async Task Should_return_400_when_no_logout_token()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Be("Missing logout_token.");
     }
 
@@ -139,7 +139,7 @@ public async Task Should_Validate_Signature_On_Backchannel_Logout()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Signature validation failed.");
     }
 
@@ -177,7 +177,7 @@ public async Task Should_Validate_Issuer_On_Backchannel_Logout()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Issuer validation failed.");
     }
 
@@ -216,7 +216,7 @@ public async Task Should_Validate_Audience_On_Backchannel_Logout()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Audience validation failed.");
     }
 
@@ -254,7 +254,7 @@ public async Task Should_Validate_Sid_On_Backchannel_Logout()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Session Id (sid) claim must be a string present in the logout token.");
     }
 
@@ -295,7 +295,7 @@ public async Task Should_Validate_Nonce_On_Backchannel_Logout()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Nonce (nonce) claim must not be present in the logout token.");
     }
 
@@ -333,7 +333,7 @@ public async Task Should_Validate_Events_When_Missing_On_Backchannel_Logout()
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Events (events) claim must be present in the logout token.");
     }
 
@@ -372,7 +372,7 @@ public async Task Should_Validate_Events_When_Missing_Property_Backchannel_Logou
         var content = await response.Content.ReadAsStringAsync();
         var error = ApiError.Parse(content);
 
-        response.StatusCode.Should().Be(400);
+        response.StatusCode.Should().Be((HttpStatusCode)400);
         error.Message.Should().Contain("Events (events) claim must contain a 'http://schemas.openid.net/event/backchannel-logout' property in the logout token.");
     }
 
@@ -408,7 +408,7 @@ public async Task Should_Pass_Validation_On_Backchannel_Logout()
         req.Content = new FormUrlEncodedContent(formData);
         using var response = await client.SendAsync(req);
 
-        response.StatusCode.Should().Be(200);
+        response.StatusCode.Should().Be((HttpStatusCode)200);
     }
 
     [Fact]