microsoft-authentication-library-for-js icon indicating copy to clipboard operation
microsoft-authentication-library-for-js copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity

Open gladjohn opened this issue 7 months ago • 1 comments

Core Library

MSAL Node (@azure/msal-node)

Wrapper Library

MSAL Node Extensions (@azure/msal-node-extensions)

Public or Confidential Client?

Confidential

Description

MSAL client type

Managed identity

Problem Statement

MSAL client type

Confidential

Problem Statement

Task type Development

Description Currently, MSAL with Managed Identity does not expose any API claims API. With CAE (Continuous Access Evaluation) being enabled by default, we need to implement a mechanism to bypass the cache if claims are detected in the token request.

Steps to Reproduce:

  • Enable CAE by default in MSAL with Managed Identity.
  • Make a token request with claims present.
  • By-pass cache when claims are present

note : msi v1 endpoint is unchanged so there is no need to pass any claims to the endpoint itself, this feature is done so MSAL will bypass the cache.

Observe that the cache is not bypassed, leading to potential stale token usage.

Expected Behavior: When claims are present in the token request, the cache should be bypassed to ensure that the latest token is used, in line with CAE requirements.

Proposed solution

  • Expose the claims API in MSAL for MI
  • Expose Claims to MI Assertion Provider for FIC

Alternatives

No response

Source

Internal (Microsoft)

gladjohn avatar Jul 17 '24 19:07 gladjohn