Restrict IdentityModel maximum version in nuspec

[nicholi]

IdentityModel2 did not get a new package name and someone might unsuspectingly upgrade to a 2.x version with this package (even though a 1.0->2.0 jump should indicate breaking changes). As far as I can tell the only breaking changes were the extension class IdentityModel.Extensions.HashStringExtensions is no longer present in IdentityModel2. Also IdentityModel.Client.IntrospectionResponse was refactored a lot and the Claims property now returns a well typed System.Security.Claims.Claim class, whereas before it was just Tuple<String, String>.

Took me awhile to track this down because I did not have Owin logging setup, rather frustruating. Unless the breaking changes are going to be addressed, all you would need to do is add an upper exclusive restriction to the version in nuspec.

<package id="IdentityModel" version="[1.9.2,2.0)" targetFramework="net45" />

[technicaljoe-atwork]

I've encountered the same issue as well. This was tracked down once I enabled Katana logging.

I've received the following error in the log file:

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.TypeLoadException: Could not load type 'IdentityModel.Extensions.HashStringExtensions' from assembly 'IdentityModel, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null'.
   at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.<ReceiveAsync>d__1.MoveNext()
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine)
   at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.ReceiveAsync(AuthenticationTokenReceiveContext context)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()

[leastprivilege]

Yes - this is a todo.

Feel free to adjust the nuspec, test and send a PR.