pr comments

GladwinJohnson · GladwinJohnson · commit ca9d4682bd88 · 2025-08-08T12:00:49.000-07:00
diff --git a/src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs b/src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs
@@ -105,15 +105,12 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
                         cachedAccessTokenItem,
                             () =>
                             {
-                                // Use a linked token source, in case the original cts is disposed
+                                // Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
                                 using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
                                 return GetAccessTokenAsync(tokenSource.Token, logger);
-                            },
-                            logger,
-                            ServiceBundle,
-                            AuthenticationRequestParameters.RequestContext.ApiEvent,
-                            AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
-                            AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
+                            }, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
+                        AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
+                        AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
                     }
                 }
                 catch (MsalServiceException e)
@@ -154,9 +151,12 @@ private async Task<AuthenticationResult> GetAccessTokenAsync(
 
             try
             {
-                // Bypass cache and send request to token endpoint, when
-                // 1. Force refresh is requested, or
-                // 2. If the access token needs to be refreshed proactively.
+                // While holding the semaphore, decide whether to bypass the cache.
+                // Re-check because another thread may have filled the cache while we waited.
+                // Bypass when:
+                // 1) ForceRefresh is requested
+                // 2) Proactive refresh is in effect
+                // 3) Claims are present (revocation flow)
                 if (_managedIdentityParameters.ForceRefresh || 
                     AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo == CacheRefreshReason.ProactivelyRefreshed ||
                     !string.IsNullOrEmpty(_managedIdentityParameters.Claims))
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs
@@ -55,7 +55,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
             // Convert the scopes to a resource string.
             string resource = parameters.Resource;
 
-            ManagedIdentityRequest request = CreateRequest(resource, parameters);
+            ManagedIdentityRequest request = CreateRequest(resource);
 
             // Automatically add claims / capabilities if this MI source supports them
             if (_sourceType.SupportsClaimsAndCapabilities())
@@ -149,7 +149,7 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
             throw exception;
         }
 
-        protected abstract ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters);
+        protected abstract ManagedIdentityRequest CreateRequest(string resource);
 
         protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)
         {
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs
@@ -66,8 +66,7 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger
             return true;
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource, 
-            AcquireTokenForManagedIdentityParameters parameters)
+        protected override ManagedIdentityRequest CreateRequest(string resource)
         {
             ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);
             
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AzureArcManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AzureArcManagedIdentitySource.cs
@@ -79,8 +79,7 @@ private AzureArcManagedIdentitySource(Uri endpoint, RequestContext requestContex
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource, 
-            AcquireTokenForManagedIdentityParameters parameters)
+        protected override ManagedIdentityRequest CreateRequest(string resource)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(System.Net.Http.HttpMethod.Get, _endpoint);
 
@@ -120,7 +119,7 @@ protected override async Task<ManagedIdentityResponse> HandleResponseAsync(
 
                 var authHeaderValue = "Basic " + File.ReadAllText(splitChallenge[1]);
 
-                ManagedIdentityRequest request = CreateRequest(parameters.Resource, parameters);
+                ManagedIdentityRequest request = CreateRequest(parameters.Resource);
 
                 _requestContext.Logger.Verbose(() => "[Managed Identity] Adding authorization header to the request.");
                 request.Headers.Add("Authorization", authHeaderValue);
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs
@@ -74,8 +74,7 @@ private CloudShellManagedIdentitySource(Uri endpoint, RequestContext requestCont
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource, 
-            AcquireTokenForManagedIdentityParameters parameters)
+        protected override ManagedIdentityRequest CreateRequest(string resource)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Post, _endpoint);
 
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs
@@ -55,8 +55,7 @@ internal ImdsManagedIdentitySource(RequestContext requestContext) :
             requestContext.Logger.Verbose(() => "[Managed Identity] Creating IMDS managed identity source. Endpoint URI: " + _imdsEndpoint);
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource, 
-            AcquireTokenForManagedIdentityParameters parameters)
+        protected override ManagedIdentityRequest CreateRequest(string resource)
         {
             ManagedIdentityRequest request = new(HttpMethod.Get, _imdsEndpoint);
 
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs
@@ -64,8 +64,7 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger
             return true;
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource, 
-            AcquireTokenForManagedIdentityParameters parameters)
+        protected override ManagedIdentityRequest CreateRequest(string resource)
         {
             ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);
 
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs
@@ -8,10 +8,10 @@ namespace Microsoft.Identity.Client.ManagedIdentity
     internal static class ManagedIdentitySourceExtensions
     {
         private static readonly HashSet<ManagedIdentitySource> s_supportsClaimsAndCaps =
-            [
-            // add other sources here as they light up
-            ManagedIdentitySource.ServiceFabric,
-            ];
+        [
+        // add other sources here as they light up
+        ManagedIdentitySource.ServiceFabric,
+        ];
 
         internal static bool SupportsClaimsAndCapabilities(
             this ManagedIdentitySource source) => s_supportsClaimsAndCaps.Contains(source);
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ServiceFabricManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ServiceFabricManagedIdentitySource.cs
@@ -75,8 +75,7 @@ private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri en
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource, 
-            AcquireTokenForManagedIdentityParameters parameters)
+        protected override ManagedIdentityRequest CreateRequest(string resource)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Get, _endpoint);
 

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(`
`55`	`55`	`// Convert the scopes to a resource string.`
`56`	`56`	`string resource = parameters.Resource;`
`57`	`57`
`58`		`- ManagedIdentityRequest request = CreateRequest(resource, parameters);`
	`58`	`+ ManagedIdentityRequest request = CreateRequest(resource);`
`59`	`59`
`60`	`60`	`// Automatically add claims / capabilities if this MI source supports them`
`61`	`61`	`if (_sourceType.SupportsClaimsAndCapabilities())`
`@@ -149,7 +149,7 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(`
`149`	`149`	`throw exception;`
`150`	`150`	`}`
`151`	`151`
`152`		`- protected abstract ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters);`
	`152`	`+ protected abstract ManagedIdentityRequest CreateRequest(string resource);`
`153`	`153`
`154`	`154`	`protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)`
`155`	`155`	`{`
Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,7 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger`
`66`	`66`	`return true;`
`67`	`67`	`}`
`68`	`68`
`69`		`- protected override ManagedIdentityRequest CreateRequest(string resource,`
`70`		`- AcquireTokenForManagedIdentityParameters parameters)`
	`69`	`+ protected override ManagedIdentityRequest CreateRequest(string resource)`
`71`	`70`	`{`
`72`	`71`	`ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);`
`73`	`72`
Original file line number	Diff line number	Diff line change
`@@ -79,8 +79,7 @@ private AzureArcManagedIdentitySource(Uri endpoint, RequestContext requestContex`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`
`82`		`- protected override ManagedIdentityRequest CreateRequest(string resource,`
`83`		`- AcquireTokenForManagedIdentityParameters parameters)`
	`82`	`+ protected override ManagedIdentityRequest CreateRequest(string resource)`
`84`	`83`	`{`
`85`	`84`	`ManagedIdentityRequest request = new ManagedIdentityRequest(System.Net.Http.HttpMethod.Get, _endpoint);`
`86`	`85`
`@@ -120,7 +119,7 @@ protected override async Task<ManagedIdentityResponse> HandleResponseAsync(`
`120`	`119`
`121`	`120`	`var authHeaderValue = "Basic " + File.ReadAllText(splitChallenge[1]);`
`122`	`121`
`123`		`- ManagedIdentityRequest request = CreateRequest(parameters.Resource, parameters);`
	`122`	`+ ManagedIdentityRequest request = CreateRequest(parameters.Resource);`
`124`	`123`
`125`	`124`	`_requestContext.Logger.Verbose(() => "[Managed Identity] Adding authorization header to the request.");`
`126`	`125`	`request.Headers.Add("Authorization", authHeaderValue);`
Original file line number	Diff line number	Diff line change
`@@ -74,8 +74,7 @@ private CloudShellManagedIdentitySource(Uri endpoint, RequestContext requestCont`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`
`77`		`- protected override ManagedIdentityRequest CreateRequest(string resource,`
`78`		`- AcquireTokenForManagedIdentityParameters parameters)`
	`77`	`+ protected override ManagedIdentityRequest CreateRequest(string resource)`
`79`	`78`	`{`
`80`	`79`	`ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Post, _endpoint);`
`81`	`80`
Original file line number	Diff line number	Diff line change
`@@ -55,8 +55,7 @@ internal ImdsManagedIdentitySource(RequestContext requestContext) :`
`55`	`55`	`requestContext.Logger.Verbose(() => "[Managed Identity] Creating IMDS managed identity source. Endpoint URI: " + _imdsEndpoint);`
`56`	`56`	`}`
`57`	`57`
`58`		`- protected override ManagedIdentityRequest CreateRequest(string resource,`
`59`		`- AcquireTokenForManagedIdentityParameters parameters)`
	`58`	`+ protected override ManagedIdentityRequest CreateRequest(string resource)`
`60`	`59`	`{`
`61`	`60`	`ManagedIdentityRequest request = new(HttpMethod.Get, _imdsEndpoint);`
`62`	`61`
Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,7 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger`
`64`	`64`	`return true;`
`65`	`65`	`}`
`66`	`66`
`67`		`- protected override ManagedIdentityRequest CreateRequest(string resource,`
`68`		`- AcquireTokenForManagedIdentityParameters parameters)`
	`67`	`+ protected override ManagedIdentityRequest CreateRequest(string resource)`
`69`	`68`	`{`
`70`	`69`	`ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);`
`71`	`70`
Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,7 @@ private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri en`
`75`	`75`	`}`
`76`	`76`	`}`
`77`	`77`
`78`		`- protected override ManagedIdentityRequest CreateRequest(string resource,`
`79`		`- AcquireTokenForManagedIdentityParameters parameters)`
	`78`	`+ protected override ManagedIdentityRequest CreateRequest(string resource)`
`80`	`79`	`{`
`81`	`80`	`ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Get, _endpoint);`
`82`	`81`