Okta SDK.NET 8.1.5 Triggers a transient dependency breaking issue

[rcollette]

Describe the bug?

This is not a bug per-se, but existing applications can experience a breaking change to their application behavior, due to a mismatch in dependency versions needed by Microsoft.AspNetCore.Authentication.JwtBearer

I have documented the issue further in https://github.com/dotnet/aspnetcore/issues/57940

The normal list of dependencies for Microsoft.AspNetCore.Authentication.JwtBearer are shown here

When importing just the two updated versions of packages that were included with the 8.1.5 release, there is now a mismatch between the cooperating packages

To fix two additional packages must be referenced in the project.

    <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="8.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.2" />

What is expected to happen?

Documentation of this library may want to call out, at least on a temporary basis, the need to import additional dependencies to ensure JWTBearer token authentication does not break, if being used.

What is the actual behavior?

JWTBearer authentication fails at runtime with

IDX10500: Signature validation failed. No security keys were provided to validate the signature

Reproduction Steps?

The description is sufficient since there isn't an actual bug in the SDK code.

Additional Information?

No response

.NET Version

8.0.401

SDK Version

8.1.5

OS version

No response

[bryanapellanes-okta]

@rcollette Thanks for bringing this to our attention. I've entered an internal issue for tracking and prioritization: OKTA-812145

[rcollette]

Related to previous issue https://github.com/okta/okta-sdk-dotnet/issues/736