Bump ModelContextProtocol.AspNetCore from 1.3.0 to 1.4.0#1329
Merged
Aaronontheweb merged 1 commit intoJun 6, 2026
Merged
Conversation
Collaborator
|
@dependabot rebase |
--- updated-dependencies: - dependency-name: ModelContextProtocol.AspNetCore dependency-version: 1.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
973d8ea to
32ae2c3
Compare
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated ModelContextProtocol.AspNetCore from 1.3.0 to 1.4.0.
Release notes
Sourced from ModelContextProtocol.AspNetCore's releases.
1.4.0
v1.4.0 introduces support for the Identity Assertion Authorization Grant (ID-JAG) flow via the new
IdentityAssertionGrantProvider, enabling enterprise SSO scenarios where users authenticate once via their enterprise Identity Provider and access MCP servers without per-server authorization prompts. The release also adds a newInheritEnvironmentVariablesoption onStdioClientTransportOptionsfor controlling the child server's environment, alongside two security hardening fixes: the stdio client transport no longer enumerates child-process environment variables in Trace logs, andDELETEon a Streamable HTTP session now requires the same authenticated user that initiated the session.What's Changed
InheritEnvironmentVariablestoStdioClientTransportOptions#1563 by @halter73 (co-authored by @Copilot)HandleDeleteRequestAsyncnow mirrors theHasSameUserIdcheck already enforced on GET and POST. ADELETEwith a validMcp-Session-Idbut a different authenticated user now returns403 Forbiddeninstead of terminating the session — defense-in-depth against a leaked session ID being used to DoS the original owner.IdentityAssertionGrantProviderand supporting option/response types inModelContextProtocol.Authenticationimplementing the Identity Assertion Authorization Grant flow: RFC 8693 token exchange at the enterprise IdP (ID Token → JWT Authorization Grant) followed by RFC 7523 JWT bearer grant at the MCP authorization server (JAG → access token). See the new Cross-Application Access section in the transport docs for full usage details.Documentation Updates
Repository Infrastructure Updates
Acknowledgements
Full Changelog: modelcontextprotocol/csharp-sdk@v1.3.0...v1.4.0
Commits viewable in compare view.