[Bug] Latest M.IM.Tokens package causes a downgrade error for CoreWCF

[mconnew]

Which version of Microsoft.IdentityModel are you using?
8.3.1

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?

This is an existing library that I attempted to upgrade to a new version of M.IM.Tokens

Repro
Create a library that targets netstandard2.0. Add the following dependencies to that library:

• Microsoft.IdentityModel.Protocols.WsFederation 8.3.0
• Microsoft.IdentityModel.Tokens 8.3.0
• Microsoft.IdentityModel.Tokens.Saml 8.3.0
• Microsoft.Extensions.Primitives 8.0.0
• Microsoft.Extensions.Logging.Abstractions 8.0.2
• Microsoft.Extensions.Logging 8.0.1

The library is using central package management and has transitive pinning enabled.
Create a second application project which targets net9.0 that depends on the library. Run dotnet restore on the application project.
[Edit] I think I meant 8.3.1 above as 8.3.0 works fine.

Expected behavior
Packages will be restored

Actual behavior
Package restore fails with the following error message:
Warning As Error: Detected package downgrade: Microsoft.Extensions.Logging.Abstractions from 9.0.0 to 8.0.2. Reference the package directly from the project to select a different version.

Possible solution
Remove Microsoft.Extensions.Logging.Abstractions dependency from M.IM.Tokens. The 8.3.0 version of the package didn't have this dependency.

Additional context / logs / screenshots / links to code
There might be an existing issue for this, but I'm confused about what's written in it and the timeline so I'm not sure. Issue #3061 says this problem exists in 8.3.1, but the issue was opened before 8.3.1 was released. Additionally PR #3062 claims to fix issue #3061, and was created after the issue, but is actually the PR which introduced the problem.

Full repro can be found here: https://github.com/mconnew/IssueRepros/tree/main/IdentityModelRepro

[jennyf19]

The team discussed this, might be related to #2817 and we might need to rework the Base64Url work a bit.

[mconnew]

We had to release referencing the 8.3.0 version of the package. While this issue is unresolved, there's an added risk where any security patches won't be able to be consumed as nothing can be upgraded past 8.3.0 without breaking a lot of people.

[mconnew]

I created a repro and updated the description pointing to it. Repro can be found here: https://github.com/mconnew/IssueRepros/tree/main/IdentityModelRepro

[jmprieur]

P1 as blocking CoreWcf