Skip to content

MSI v1 token revocation specification #5137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Mar 12, 2025
Merged

MSI v1 token revocation specification #5137

merged 14 commits into from
Mar 12, 2025

Conversation

@gladjohn
Copy link
Contributor

@gladjohn gladjohn commented Feb 12, 2025

This pull request adds documentation for MSAL support for MSI v1 token revocation and capabilities. It introduces two optional parameters that developers can use to control token revocation and specify client capabilities when acquiring tokens via Managed Identity.

Key changes include:

  • Documentation Addition:
    • docs/msiv1_token_revocation.md: Added detailed documentation describing the bypass_cache and xms_cc parameters, their purposes, behaviors, and use cases.

@gladjohn gladjohn marked this pull request as ready for review February 12, 2025 00:37
@gladjohn gladjohn requested a review from a team as a code owner February 12, 2025 00:37
bgavrilMS
bgavrilMS reviewed Feb 12, 2025
View reviewed changes
bgavrilMS
bgavrilMS requested changes Feb 12, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No mapping between public APIs and the new MSI params.

@gladjohn gladjohn mentioned this pull request Feb 12, 2025
Open
@gladjohn gladjohn requested review from bgavrilMS and rayluo February 13, 2025 22:32
rayluo
rayluo reviewed Feb 16, 2025
View reviewed changes
bgavrilMS
bgavrilMS reviewed Feb 18, 2025
View reviewed changes
bgavrilMS
bgavrilMS previously requested changes Feb 18, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not the design SF wanted.

bgavrilMS
bgavrilMS reviewed Feb 18, 2025
View reviewed changes
gladjohn
gladjohn commented Feb 25, 2025
View reviewed changes
Copy link
Contributor Author

@gladjohn gladjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good Bogdan, do we need to create another spec for MIA changes to support this? I have PR out there, and I can modify it based on the details from the diagram. But adding a one line on MSI design will be good to have for clarity

@SouravMishra-MS SouravMishra-MS mentioned this pull request Feb 26, 2025
Open
@bgavrilMS bgavrilMS self-requested a review February 26, 2025 16:47
rayluo
rayluo reviewed Feb 26, 2025
View reviewed changes
Copy link
Contributor

@rayluo rayluo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the original CAE design, the WithClientCapabilities is a per-app parameter in MSAL. That is one of the reason why xms_cc should not be used in the second last arrow in both diagrams, otherwise it would force SFRP to create new CCA instance per request, which would be too inefficient.

In the SF's MSIv1 token revocation design, their protocol accepts the claims parameter (signed off by eSTS architect), and it does not accept an xms_cc as a standalone parameter (which is not in original CAE protocol either). So, MSAL's ManagedIdentityApplication can simply relays the incoming WithClaims to SF.

I proposed suggestions on diagrams, accordingly.

You may also refer to this feature request for the same project.

@PramodKumarHK89 PramodKumarHK89 mentioned this pull request Feb 27, 2025
Open
@gladjohn gladjohn requested a review from rayluo March 11, 2025 22:00
@gladjohn gladjohn dismissed bgavrilMS’s stale review March 11, 2025 22:01

re-request review please

@bgavrilMS bgavrilMS merged commit 622fa2a into main Mar 12, 2025
5 of 7 checks passed
@bgavrilMS bgavrilMS deleted the gladjohn-msi_v1 branch March 12, 2025 11:28
gladjohn added a commit that referenced this pull request Mar 12, 2025
@gladjohn @bgavrilMS
@rayluo @GladwinJohnson
MSI v1 token revocation specification (#5137)
faca548 
* Create msiv1_token_revocation.md

* Update MSI v1 token revocation documentation

* Add manual testing guideline link for MSI v1

* 1

* Update docs

* 2

* Update docs/msiv1_token_revocation.md

Co-authored-by: Ray Luo <rayluo@microsoft.com>

* Update token revocation documentation with new parameters

* Update token revocation sequence diagram and explanation

* Update mermaid diagram in token revocation doc

* Remove redundant end statements in documentation

* Update parameter name in MSAL API documentation

* Update token revocation documentation

---------

Co-authored-by: Bogdan Gavril <bogavril@microsoft.com>
Co-authored-by: Ray Luo <rayluo@microsoft.com>
This was referenced Mar 13, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@rayluo rayluo Awaiting requested review from rayluo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gladjohn @rayluo @bgavrilMS