add LTS policy (#3228)

jennyf19 · pmaytak · web-flow · commit 946bec18cdeb · 2025-05-08T20:07:06.000-07:00
* add LTS policy

* Apply suggestions from code review

* Update README.md

---------

Co-authored-by: Peter &lt;34331512+pmaytak@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -2,24 +2,60 @@
 
 [![Nuget](https://img.shields.io/nuget/v/Microsoft.IdentityModel.JsonWebTokens?label=Latest%20release)](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/)
 
-IdentityModel Extensions for .NET provide assemblies that are interesting for web developers that wish to use federated identity providers for establishing the caller's identity.
+The **IdentityModel Extensions for .NET** library provides robust tools to enhance authentication and authorization workflows in your .NET applications. Backed by the Entra team, this library simplifies working with OpenID Connect (OIDC), OAuth2.0, and JSON Web Tokens (JWT) in .NET.
+
+Whether you're building secure APIs, implementing token validation, or managing claims, this library is designed to handle the heavy lifting for you.
+
+> **Why IdentityModel?**
+> - **Widely Adopted:** Trusted by thousands of developers to integrate OIDC and OAuth2.0 standards.
+> - **Secure by Design:** Built with security as a priority to reduce common vulnerabilities.
+> - **Extensible:** Easily extend or customize for advanced use cases.
+> - **Battle hardened:** Validates 5+ trillion requests daily, and growing.
 
 ## Versions
 
 You can find the release notes for each version [here](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases). Older versions can be found [here](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/Release-Notes).
 
-## IdentityModel 7x
+## Version Lifecycle and Support Matrix
+
+See [Long Term Support policy](./supportPolicy.md) for details.
+
+| Major Version | Last Release | Status |
+| --------------|--------------|--------|
+| 8.x           | 8.9.0        | Active (Current) |
+| 7.x           | 7.7.1        | Supported (LTS) through .NET 8 LTS lifetime Nov 10, 2026|
+| 6.x           | 6.36.0       | Not supported since May 2024|
+| 5.x           | 5.7.0        | Supported (LTS), tied to the Microsoft.Owin.Security.JWT 4.2.2 lifetime |
+
+## IdentityModel 8.x?
+
+Version `8.x` introduces significant updates and improvements:
+- **Enhanced Performance:** Optimized token validation to handle high-throughput scenarios.
+- **.NET Compatibility:** Fully compatible with .NET 9.
+
+>🧭LTS: Supported through .NET 9 LTS lifetime: May 12, 2026 + .NET 10 LTS (~3 years).
+
+## IdentityModel 7.x
+
+[IdentityModel 7x](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/IdentityModel-7x) introduced several improvements related to serialization and consistency in the API, which provide a better user experience for developers, as well as full AOT compatibility on .NET, and considerable performance improvements compared to IdentityModel 6x.
 
-We are excited to announce the release of [IdentityModel 7x](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/IdentityModel-7x), a major update to our popular .NET auth validation library. This new version introduces several improvements related to serialization and consistency in the API, which will provide a better user experience for developers, as well as full AOT compatibility on .NET, and huge perf improvements compared to 6x.
+>🧭LTS: Supported through .NET 8 LTS lifetime: Nov 10, 2026.
+>
+>⚡Recommendation: Move to 8.x.
 
-## Note about 6.x
+## IdentityModel 6.x
 
-We bumped the release from 6.x to 7.x.
-We are maintaining two releases from two different branches.
-dev - 7.x
-dev6x - 6.x
+>🧭Deprecated: Support ended with .NET 7 LTS lifetime: May 2024.
+>
+>⚡Action: Move to 8.x.
 
-dev6x will be maintained until March 2024, at which point, you will need to move to 7x to continue to get the latest and greatest improvements and security updates.
+## IdentityModel 5.x
+
+__Not a recommended version__
+
+>🧭LTS: Supported for Microsoft.Owin.Security.JWT
+>
+>⚡Action: Move to 8.x.
 
 ## Samples and Documentation
 
@@ -33,20 +69,18 @@ The scenarios supported by IdentityModel extensions for .NET are described in [S
 
 ## Community Help and Support
 
+Report a bug or request a feature directly in the [GitHub repo](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/new/choose).
+
+Have a design proposal? Please submit [a design proposal](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/new?assignees=&labels=design-proposal&projects=&template=design_proposal.md) before starting work on a PR to ensure it means the goals/objectives of this library and it's priorities.
+
 We leverage [Stack Overflow](http://stackoverflow.com/) to work with the community on supporting Microsoft Entra and its SDKs, including this one! We highly recommend you ask your questions on Stack Overflow (we're all on there!) Also browse existing issues to see if someone has had your question before.
 
 We recommend you use the "identityModel" tag so we can see it! Here is the latest Q&A on Stack Overflow for IdentityModel: [https://stackoverflow.com/questions/tagged/identityModel](https://stackoverflow.com/questions/tagged/identityModel)
 
-Have a design proposal? Please submit [a design proposal](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/new?assignees=&labels=design-proposal&projects=&template=design_proposal.md) before starting work on a PR to ensure it means the goals/objectives of this library and it's priorities.
-
 ## Security Reporting
 
 See [SECURITY.md](./SECURITY.md)
 
-## Security Vulnerability in Microsoft.IdentityModel.Tokens 5.1.0
-
-IdentityModel Extensions library Microsoft.IdentityModel.Tokens has a known security vulnerability affecting version 5.1.0. Please update to >= 5.1.1 immediately. An updated package is available on NuGet. For more details, see the [security notice](./SECURITY_NOTICE.md).
-
 ## Contributing
 
 All code is licensed under the MIT license and we triage actively on GitHub. We enthusiastically welcome contributions and feedback. See [Contributing.md](./Contributing.md) for guidelines, branch information, build instructions, and legalese.
diff --git a/supportPolicy.md b/supportPolicy.md
@@ -0,0 +1,33 @@
+# Microsoft.IdentityModel Support Policy
+
+_Last updated May 8, 2025_
+
+Every Microsoft product has a lifecycle. The lifecycle begins when a product is released and ends when it's no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to upgrade or make other changes to your software. This product is governed by [Microsoft's Modern Lifecycle Policy](https://learn.microsoft.com/en-us/lifecycle/policies/modern).
+
+## Overview
+
+The Microsoft suite of auth libraries provides comprehensive tools for identity and security token processing in .NET, and non-.NET, applications, including authentication, authorization, token validation, and integration with Entra ID and other IdPs. To provide clarity and predictability for developers, these libraries follow a Long-Term Support (LTS) policy similar in style to the .NET Core/.NET platform LTS story. This policy defines how long each major version of each library is supported, which versions receive updates (especially security fixes), and when older versions are deprecated. The goal is to ensure developers know which version is safe to use and when to upgrade, in alignment with .NET’s own support cadence.
+
+## Support Policy Guiding Principles
+The support policy can be summarized by three key rules:
+1. **“Last Major Release” Support Window:** For each major version of the library (v5, v6, v7, v8, etc.), only the latest patch release of that major version is officially supported once a new major version is released. This last release of a major version (for example, 7.7.1 for the 7.x branch) will continue to be supported for a grace period of 180 days after the next major (v8.0) comes out or for the entire lifespan of the .NET LTS release that the library is associated with – whichever is longer. In other words, if a given major version of IdentityModel ships as part of a .NET LTS wave, it inherits that longer support timeline. For example, IdentityModel 7.x is shipped as part of ASP.NET Core in .NET 8 (an LTS release), then IdentityModel 7.x will be supported throughout the supported lifetime of .NET 8. If a major is not tied to an LTS .NET, the default support overlap is 180 days.
+2. **Deprecation of Older Versions on New Major Release:** When a new major version of the library is released (e.g., 8.0.0), all previous minor/patch versions of the previous major (e.g., 7.0.0 up to 7.7.0) are immediately considered deprecated, only the last patch release of the previous major (e.g., 7.7.1) remains supported during the 180-day overlap or LTS period as described above. Earlier patches in that branch will no longer receive updates. For example, once 8.0.0 is released, the entire 7.x series before 7.7.1 is deprecated. Developers should move to 7.7.1 (the final 7.x release) or upgrade to 8.x for continued support.
+3. **Security Fixes Only in Supported Versions:** Security fixes and critical bug fixes will be provided only for the supported versions – namely, the latest patch of the latest major, and in some cases the latest patch of the previous major during the overlap window. Older majors (and any old patch versions) will not receive security updates once they are out of support. This means if a vulnerability is discovered, the team will issue a fix in the current supported release (and possibly the last release of the previous major if still within 180-day/LTS overlap), but will not back-port fixes to earlier, deprecated patch versions. In practice, organizations must upgrade to the supported version to get the fix. (For example, a security advisory might instruct users to update to 7.7.1 or 8.x to resolve an issue, as older 7.x builds would not be patched.)
+
+## Supported versions
+The following table lists IdentityModel versions currently supported and receiving security fixes.
+
+| Major Version | Last Release | Patch release date| Support phase|End of support |
+| --------------|--------------|--------|--------|--------|
+| 9.x           |   N/A           |    N/A    |Not planned     | N/A|
+| 8.x           | 8.x latest   |Monthly| Active | Tied to .NET 9 (STS) & 10 (LTS) ~ Nov, 2028|
+| 7.x           | 7.7.1        | July 19, 2024 |Active, security fixes only |Supported (LTS) through .NET 8 LTS lifetime Nov 10, 2026|
+| 5.x           | 5.7.0        |January 9, 2024| Active, security fixes only |Tied to Microsoft.Owin.Security.JWT 4.2.2 |
+
+## Out of support versions
+The following table lists IdentityModel versions no longer supported and no longer receiving security fixes.
+
+| Major Version | Lastest patch version| Patch release date | End of support|
+| --------------|--------------|--------|--------|
+| 6.x           | 6.36.0       | July 18, 2024| May 2024|
+| 1.x           | 1.1.5        | November 17, 2017 | November 18, 2017|
