microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Add MSI token revocation support for legacy sources

Open gladjohn opened this issue 9 months ago • 3 comments

Fixes #5138

Spec: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/docs/msiv1_token_revocation.md

This pull request includes significant changes to the Microsoft.Identity.Client library, focusing on enhancing the handling of managed identity authentication requests. The key changes involve adding support for claims and capabilities, improving token handling logic, and refactoring various classes to accommodate these new features.

Enhancements to Managed Identity Authentication:

  • src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs: Added new properties Claims and BadTokenHash to support claims and token hashing.

  • src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs: Introduced ICryptographyManager to compute token hashes and updated the ExecuteAsync method to handle claims and token caching more effectively. [1] [2] [3]

Refactoring for Claims and Capabilities:

  • src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs: Refactored methods to include claims and capabilities in the managed identity request, including the new ApplyClaimsAndCapabilities method. [1] [2]

Updates to Managed Identity Sources:

  • Updated various managed identity source classes (AppServiceManagedIdentitySource, AzureArcManagedIdentitySource, CloudShellManagedIdentitySource, ImdsManagedIdentitySource, MachineLearningManagedIdentitySource, ServiceFabricManagedIdentitySource) to use the new CreateRequest method signature that includes AcquireTokenForManagedIdentityParameters. [1] [2] [3] [4] [5] [6] [7]

These changes collectively improve the robustness and flexibility of managed identity authentication in the Microsoft.Identity.Client library.

Testing unit tests

Performance impact none

Documentation

  • [ ] All relevant documentation is updated.

gladjohn avatar Feb 12 '25 20:02 gladjohn

Fixes #5138

Changes proposed in this request This pull request includes several changes to the Microsoft.Identity.Client library to support claims and capabilities in managed identity requests. The most important changes involve adding a new Claims property, modifying request creation methods to include this property, and implementing a new method to apply claims and capabilities to requests.

Support for Claims and Capabilities:

Request Creation and Handling:

  • src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs: Modified the CreateRequest method to accept AcquireTokenForManagedIdentityParameters and added the ApplyClaimsAndCapabilities method to set request parameters based on claims and capabilities. [1] [2] [3]
  • Updated various managed identity source classes (AppServiceManagedIdentitySource, AzureArcManagedIdentitySource, CloudShellManagedIdentitySource, ImdsManagedIdentitySource, MachineLearningManagedIdentitySource, ServiceFabricManagedIdentitySource) to use the new CreateRequest method signature and apply claims and capabilities. [1] [2] [3] [4] [5] [6]

Testing Enhancements:

Testing unit tests

Performance impact none

Documentation

  • [ ] All relevant documentation is updated.

bgavrilMS avatar Mar 17 '25 12:03 bgavrilMS

@gladjohn - what's the status on this one - when can it be merged?

bgavrilMS avatar Jun 06 '25 10:06 bgavrilMS

@gladjohn - what's the status on this one - when can it be merged?

given that SF is going first, I will create new PR for SF and merge it first.

gladjohn avatar Jun 06 '25 11:06 gladjohn