e2e test and CreateSha256HashHex

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs

@@ -18,7 +18,7 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter
 
         public string Claims { get; set; }
 
-        public string BadTokenHash { get; set; }
+        public string RevokedTokenHash { get; set; }
 
         public void LogParameters(ILoggerAdapter logger)
         {

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -62,8 +62,8 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
                 // If there is a cached token, compute its hash for the “bad token” scenario
                 if (cachedAccessTokenItem != null)
                 {
-                    string cachedTokenHash = _cryptoManager.CreateSha256Hash(cachedAccessTokenItem.Secret);
-                    _managedIdentityParameters.BadTokenHash = cachedTokenHash;
+                    string cachedTokenHash = _cryptoManager.CreateSha256HashHex(cachedAccessTokenItem.Secret);
+                    _managedIdentityParameters.RevokedTokenHash = cachedTokenHash;
 
                     logger.Info("[ManagedIdentityRequest] Claims are present. Computed hash of the cached (bad) token. " +
                                 "Will now request a fresh token from the MI endpoint.");

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -319,9 +319,9 @@ protected virtual void ApplyClaimsAndCapabilities(
 
             // Only include 'token_sha256_to_refresh' if we have both Claims and the old token's hash
             if (!string.IsNullOrEmpty(parameters.Claims) &&
-                !string.IsNullOrEmpty(parameters.BadTokenHash))
+                !string.IsNullOrEmpty(parameters.RevokedTokenHash))
             {
-                SetRequestParameter(request, "token_sha256_to_refresh", parameters.BadTokenHash);
+                SetRequestParameter(request, "token_sha256_to_refresh", parameters.RevokedTokenHash);
                 _requestContext.Logger.Info(
                     "[Managed Identity] Passing SHA-256 of the 'bad' token to Managed Identity endpoint."
                 );

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs

@@ -473,7 +473,7 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
             }
 
             var manager = new CommonCryptographyManager();
-            var value = manager.CreateSha256Hash(TestConstants.ATSecret);
+            var value = manager.CreateSha256HashHex(TestConstants.ATSecret);
 
             // If capabilityEnabled, add "xms_cc": "cp1"
             if (capabilityEnabled)
@@ -494,12 +494,12 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
                 if (managedIdentitySourceType == ManagedIdentitySource.AppService
                     || managedIdentitySourceType == ManagedIdentitySource.ServiceFabric)
                 {
-                    expectedQueryParams.Add("token_sha256_to_refresh", manager.CreateSha256Hash(TestConstants.ATSecret));
+                    expectedQueryParams.Add("token_sha256_to_refresh", manager.CreateSha256HashHex(TestConstants.ATSecret));
                 }
             }
             else
             {
-                notExpectedQueryParams.Add("token_sha256_to_refresh", manager.CreateSha256Hash(TestConstants.ATSecret));
+                notExpectedQueryParams.Add("token_sha256_to_refresh", manager.CreateSha256HashHex(TestConstants.ATSecret));
             }
 
             if (managedIdentitySourceType != ManagedIdentitySource.CloudShell)

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs

@@ -60,7 +60,7 @@ public class ManagedIdentityTests
         //non existent Resource ID of the User Assigned Identity 
         private const string Non_Existent_UamiResourceId = "/subscriptions/userAssignedIdentities/NO_ID";
 
-        //[DataTestMethod]
+        [DataTestMethod]
         [DataRow(MsiAzureResource.WebApp, "", DisplayName = "System_Identity_Web_App")]
         //[DataRow(MsiAzureResource.Function, "", DisplayName = "System_Identity_Function_App")]
         //[DataRow(MsiAzureResource.VM, "", DisplayName = "System_Identity_Virtual_Machine")]
@@ -128,7 +128,69 @@ public async Task AcquireMSITokenAsync(MsiAzureResource azureResource, string us
             }
         }
 
-        //[TestMethod]
+        [DataTestMethod]
+        [DataRow(MsiAzureResource.WebApp, "", DisplayName = "System_Identity_Web_App")]
+        [DataRow(MsiAzureResource.WebApp, UserAssignedClientID, UserAssignedIdentityId.ClientId, DisplayName = "ClientId_Web_App")]
+        [DataRow(MsiAzureResource.WebApp, UamiResourceId, UserAssignedIdentityId.ResourceId, DisplayName = "ResourceID_Web_App")]
+        [DataRow(MsiAzureResource.WebApp, UserAssignedObjectID, UserAssignedIdentityId.ObjectId, DisplayName = "ObjectID_Web_App")]
+        public async Task AcquireMSITokenWithClaimsAsync(
+        MsiAzureResource azureResource,
+        string userIdentity,
+        UserAssignedIdentityId userAssignedIdentityId = UserAssignedIdentityId.None)
+        {
+            using (new EnvVariableContext())
+            {
+                // ---------- Arrange ----------
+                var envVariables = await GetEnvironmentVariablesAsync(azureResource).ConfigureAwait(false);
+                SetEnvironmentVariables(envVariables);
+
+                string uri = s_baseURL + $"MSIToken?azureresource={azureResource}&uri=";
+
+                IManagedIdentityApplication mia =
+                    CreateMIAWithProxy(uri, userIdentity, userAssignedIdentityId);
+
+                // ---------- Act & Assert 1 ----------
+                AuthenticationResult result1 = await mia
+                                .AcquireTokenForManagedIdentity(s_msi_scopes)
+                                .ExecuteAsync()
+                                .ConfigureAwait(false);
+
+                Assert.AreEqual("Bearer", result1.TokenType);
+                Assert.AreEqual(TokenSource.IdentityProvider,
+                                result1.AuthenticationResultMetadata.TokenSource);
+                CoreAssert.IsWithinRange(
+                    DateTimeOffset.UtcNow,
+                    result1.ExpiresOn,
+                    TimeSpan.FromHours(24));
+
+                // ---------- Act & Assert 2 (cache hit) ----------
+                AuthenticationResult result2 = await mia
+                                .AcquireTokenForManagedIdentity(s_msi_scopes)
+                                .ExecuteAsync()
+                                .ConfigureAwait(false);
+
+                Assert.IsTrue(result2.Scopes.All(s_msi_scopes.Contains));
+                Assert.AreEqual(TokenSource.Cache,
+                                result2.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual(result1.AccessToken, result2.AccessToken,   // sanity
+                                "Second call should come from cache");
+
+                // ---------- Act & Assert 3 (claims → bypass_cache) ----------
+                const string claimsJson = TestConstants.Claims;
+
+                AuthenticationResult result3 = await mia
+                                .AcquireTokenForManagedIdentity(s_msi_scopes)
+                                .WithClaims(claimsJson)
+                                .ExecuteAsync()
+                                .ConfigureAwait(false);
+
+                // Token source should now be IdentityProvider again
+                Assert.AreEqual(TokenSource.IdentityProvider,
+                                result3.AuthenticationResultMetadata.TokenSource);
+            }
+        }
+
+        [TestMethod]
         public async Task AcquireMsiToken_ForTokenExchangeResource_Successfully()
         {
             string resource = "api://AzureAdTokenExchange";
@@ -183,7 +245,7 @@ public async Task AcquireMsiToken_ForTokenExchangeResource_Successfully()
             }
         }
 
-        //[TestMethod]
+        [TestMethod]
         public async Task AcquireMsiToken_ExchangeForEstsToken_Successfully()
         {
            const string resource = "api://AzureAdTokenExchange";
@@ -449,7 +511,7 @@ private IManagedIdentityApplication CreateMIAWithProxy(string url, string userAs
             // Disabling shared cache options to avoid cross test pollution.
             builder.Config.AccessorOptions = null;
 
-            IManagedIdentityApplication mia = builder
+            IManagedIdentityApplication mia = builder.WithClientCapabilities(new[] { "cp1" })
                 .WithHttpManager(proxyHttpManager).Build();
 
             return mia;