Add MSI token revocation support for legacy sources #5139

gladjohn · 2025-02-12T20:26:46Z

Spec: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/docs/msiv1_token_revocation.md

This pull request includes significant changes to the Microsoft.Identity.Client library, focusing on enhancing the handling of managed identity authentication requests. The key changes involve adding support for claims and capabilities, improving token handling logic, and refactoring various classes to accommodate these new features.

Enhancements to Managed Identity Authentication:

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs: Added new properties Claims and BadTokenHash to support claims and token hashing.
src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs: Introduced ICryptographyManager to compute token hashes and updated the ExecuteAsync method to handle claims and token caching more effectively. [1] [2] [3]

Refactoring for Claims and Capabilities:

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs: Refactored methods to include claims and capabilities in the managed identity request, including the new ApplyClaimsAndCapabilities method. [1] [2]

Updates to Managed Identity Sources:

Updated various managed identity source classes (AppServiceManagedIdentitySource, AzureArcManagedIdentitySource, CloudShellManagedIdentitySource, ImdsManagedIdentitySource, MachineLearningManagedIdentitySource, ServiceFabricManagedIdentitySource) to use the new CreateRequest method signature that includes AcquireTokenForManagedIdentityParameters. [1] [2] [3] [4] [5] [6] [7]

These changes collectively improve the robustness and flexibility of managed identity authentication in the Microsoft.Identity.Client library.

Testing
unit tests

Performance impact
none

Documentation

All relevant documentation is updated.

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

bgavrilMS · 2025-03-17T12:54:54Z

src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs

        {
            ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);

            request.Headers.Add(SecretHeaderName, _secret);
            request.QueryParameters["api-version"] = AppServiceMsiApiVersion;
            request.QueryParameters["resource"] = resource;

+            ApplyClaimsAndCapabilities(request, parameters);


Have AppService folks sing-off on a spec?

We will remove bypass_cache and pass the bad token hash for all MSI v1 sources, based on the sign off from APP Service today

suggestion
Even though App Service signed off this, they are not yet actively working on this, are they? I would suggest we add this new xms_cc and token_sha256_to_refresh behaviors for only Service Fabric in this PR.

Other MIv1 providers, when they are ready, can approach us in the future, and then we will be able to add support for them by this one-liner here.

As part of the spec sign off, they (app service) also agreed on a deliverable. We need to get this out for them to actively work on this.

src/client/Microsoft.Identity.Client/ManagedIdentity/AzureArcManagedIdentitySource.cs

src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs

src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs

src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs

src/client/Microsoft.Identity.Client/ManagedIdentity/ServiceFabricManagedIdentitySource.cs

bgavrilMS

Not to spec https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/docs/msiv1_token_revocation.md

bgavrilMS · 2025-03-17T12:58:48Z

Fixes #5138

Changes proposed in this request This pull request includes several changes to the Microsoft.Identity.Client library to support claims and capabilities in managed identity requests. The most important changes involve adding a new Claims property, modifying request creation methods to include this property, and implementing a new method to apply claims and capabilities to requests.

Support for Claims and Capabilities:

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs: Added a new Claims property to the AcquireTokenForManagedIdentityParameters class.

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs: Updated the ExecuteAsync method to set the Claims property in _managedIdentityParameters.

Request Creation and Handling:

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs: Modified the CreateRequest method to accept AcquireTokenForManagedIdentityParameters and added the ApplyClaimsAndCapabilities method to set request parameters based on claims and capabilities. [1] [2] [3]

Updated various managed identity source classes (AppServiceManagedIdentitySource, AzureArcManagedIdentitySource, CloudShellManagedIdentitySource, ImdsManagedIdentitySource, MachineLearningManagedIdentitySource, ServiceFabricManagedIdentitySource) to use the new CreateRequest method signature and apply claims and capabilities. [1] [2] [3] [4] [5] [6]

Testing Enhancements:

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs: Enhanced the AddManagedIdentityMockHandler method to include parameters for enabling capabilities and claims, and updated the BuildMockHandlerForManagedIdentitySource method accordingly. [1] [2]

Testing unit tests

Performance impact none

Documentation

All relevant documentation is updated.

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs

re-review requested

…soft-authentication-library-for-dotnet into gladjohn/msi_v1_tr

gladjohn · 2025-03-21T03:31:57Z

src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs

@@ -13,7 +15,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity
    internal class AppServiceManagedIdentitySource : AbstractManagedIdentity
    {
        // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-        private const string AppServiceMsiApiVersion = "2019-08-01";
+        private const string AppServiceMsiApiVersion = "2025-03-30";


updated to new api-version, we cannot merge this PR until App Service api-version has been updated globally. Marked the PR as do not merge. Also do not close this comment.

⚠️ ⚠ 🚧 ❗ ⛔

This will fail the integration test as there is no new API-VERSION in APP Service, yet. This failure is expected.

neha-bhargava · 2025-04-01T04:26:13Z

src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs

@@ -13,7 +15,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity
    internal class AppServiceManagedIdentitySource : AbstractManagedIdentity
    {
        // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-        private const string AppServiceMsiApiVersion = "2019-08-01";
+        private const string AppServiceMsiApiVersion = "2025-03-30";


Does this version of app service endpoint the equivalent to MITS endpoint mentioned in the spec?

gladjohn changed the title ~~initial~~ Add MSI token revocation support for legacy sources Feb 12, 2025

gladjohn added the blocked label Feb 12, 2025

gladjohn self-assigned this Feb 12, 2025

gladjohn mentioned this pull request Mar 10, 2025

Enhancing Token Refresh Control in MSAL: Introducing .WithAccessTokenSha256ToRefresh() in AcquireTokenForClient Flows #5179

Merged

1 task

initial

579b189

gladjohn force-pushed the gladjohn/msi_v1_tr branch from 4ac538d to 579b189 Compare March 10, 2025 16:37

gladjohn removed the blocked label Mar 10, 2025