Skip to content

Commit 31af353

Browse files
bgavrilMSbgavrilMS
committed
1
1 parent 66d6f16 commit 31af353

File tree

1 file changed

+44
-0
lines changed

1 file changed

+44
-0
lines changed

docs/msiv1_sf_revocation.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Goal
2+
3+
This proposal captures the requirements for Service Fabric.
4+
5+
Open question: Can we use the same approach for App Service ? Or for all MSIv1 sources (?) ?
6+
7+
8+
## Proposed token revocation flow
9+
10+
```mermaid
11+
sequenceDiagram
12+
participant Resource
13+
actor CX
14+
participant MSAL
15+
participant SF
16+
participant eSTS
17+
18+
CX ->> Resource: 1. Call resource with "bad" token
19+
Resource->>CX: 2. HTTP 401 + claims c
20+
CX->>CX: 3. Parse response, extract claims c
21+
CX->>MSAL: 4. MSI.AcquireToken <br/> WithClaims(c) WithClientCapabilities(cp1)
22+
MSAL->>MSAL: 5. Get "bad" token T from cache
23+
MSAL->>SF: 6. Call MITS <br/> WithClaims(c), WithClientCapabilities(cp1), WithBadToken(T)
24+
SF->>eSTS: 7. CCA.AcquireTokenForClient SN/I cert <br/> WithClaims(c) WithClientCapabilities(cp1), WithBadToken(T)
25+
```
26+
27+
At step 6, MSAL calls the SF endpoint (MITS) with 3 parameters: claims (from the CX), client capabilities (from the CX) and a SHA256 thumbprint of the bad token. The "bad token" comes from MSAL's cache. If a cached token doesn't exist,
28+
29+
> [!Open Question]
30+
> If a token isn't found in the cache, then MSAL will not relay the claims and client capabilties to MITS when requesting the token.
31+
32+
Service Fabric, on the RP side, will use `ConfidentialClientApplication` with an SN/I certificate to get a new token from eSTS. It will add the 3 parameters from the previous step.
33+
34+
### New MSAL API proposed
35+
36+
To support Service Fabric, MSAL will add a new API to `AcquireTokenForClient` - `.WithAccessTokenToRefresh(string thumbprintOfAccessTokenToRefresh)`. This can be extended to other flows too in the future.
37+
This API will be in a namespace that indicates it is supposed to be used by RPs - `Microsoft.Identity.Client.Rp`
38+
39+
#### Behavior:
40+
41+
- MSAL will look in the cache first for a non-expired token. If it exists:
42+
-- If it matches the "Bad" token thumbprint, then MSAL will ignore it and it will call eSTS for a new token, using the claims and client_capabilities.
43+
-- If it doesn't match, it means that a new token was already updated. Return it (ignore the claims).
44+
- If it doesn't exist, call eSTS with the claims and client_capabilities

0 commit comments

Comments
 (0)