Skip to content

Add MSI token revocation support for legacy sources #5139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Add MSI token revocation support for legacy sources #5139

wants to merge 5 commits into from

Conversation

@gladjohn
Copy link
Contributor

@gladjohn gladjohn commented Feb 12, 2025
edited
Loading

Fixes #5138

Spec: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/docs/msiv1_token_revocation.md

This pull request includes significant changes to the Microsoft.Identity.Client library, focusing on enhancing the handling of managed identity authentication requests. The key changes involve adding support for claims and capabilities, improving token handling logic, and refactoring various classes to accommodate these new features.

Enhancements to Managed Identity Authentication:

Refactoring for Claims and Capabilities:

Updates to Managed Identity Sources:

  • Updated various managed identity source classes (AppServiceManagedIdentitySource, AzureArcManagedIdentitySource, CloudShellManagedIdentitySource, ImdsManagedIdentitySource, MachineLearningManagedIdentitySource, ServiceFabricManagedIdentitySource) to use the new CreateRequest method signature that includes AcquireTokenForManagedIdentityParameters. [1] [2] [3] [4] [5] [6] [7]

These changes collectively improve the robustness and flexibility of managed identity authentication in the Microsoft.Identity.Client library.

Testing
unit tests

Performance impact
none

Documentation

  • All relevant documentation is updated.

@gladjohn gladjohn changed the title initial Add MSI token revocation support for legacy sources Feb 12, 2025
@gladjohn gladjohn self-assigned this Feb 12, 2025
@gladjohn gladjohn mentioned this pull request Mar 10, 2025
Merged
1 task
@gladjohn gladjohn force-pushed the gladjohn/msi_v1_tr branch from 4ac538d to 579b189 Compare March 10, 2025 16:37
@gladjohn gladjohn removed the blocked label Mar 10, 2025
bgavrilMS
bgavrilMS previously requested changes Mar 17, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not to spec https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/docs/msiv1_token_revocation.md

@bgavrilMS
Copy link
Member

Fixes #5138

Changes proposed in this request This pull request includes several changes to the Microsoft.Identity.Client library to support claims and capabilities in managed identity requests. The most important changes involve adding a new Claims property, modifying request creation methods to include this property, and implementing a new method to apply claims and capabilities to requests.

Support for Claims and Capabilities:

Request Creation and Handling:

  • src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs: Modified the CreateRequest method to accept AcquireTokenForManagedIdentityParameters and added the ApplyClaimsAndCapabilities method to set request parameters based on claims and capabilities. [1] [2] [3]
  • Updated various managed identity source classes (AppServiceManagedIdentitySource, AzureArcManagedIdentitySource, CloudShellManagedIdentitySource, ImdsManagedIdentitySource, MachineLearningManagedIdentitySource, ServiceFabricManagedIdentitySource) to use the new CreateRequest method signature and apply claims and capabilities. [1] [2] [3] [4] [5] [6]

Testing Enhancements:

Testing unit tests

Performance impact none

Documentation

  • All relevant documentation is updated.

@gladjohn gladjohn marked this pull request as ready for review March 19, 2025 18:29
@gladjohn gladjohn requested a review from a team as a code owner March 19, 2025 18:29
@gladjohn gladjohn requested a review from bgavrilMS March 19, 2025 18:29
@gladjohn gladjohn dismissed bgavrilMS’s stale review March 20, 2025 17:31

re-review requested

@gladjohn gladjohn force-pushed the gladjohn/msi_v1_tr branch from 8334022 to a51ffab Compare April 22, 2025 15:44
@gladjohn gladjohn force-pushed the gladjohn/msi_v1_tr branch from 312229f to 76b0762 Compare May 13, 2025 19:11
@bgavrilMS
Copy link
Member

@gladjohn - what's the status on this one - when can it be merged?

@gladjohn
Copy link
Contributor Author

gladjohn commented Jun 6, 2025

@gladjohn - what's the status on this one - when can it be merged?

given that SF is going first, I will create new PR for SF and merge it first.

@gladjohn gladjohn closed this Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rayluo rayluo rayluo left review comments

@neha-bhargava neha-bhargava neha-bhargava left review comments

@bgavrilMS bgavrilMS bgavrilMS approved these changes

Assignees

@gladjohn gladjohn

Labels

do not merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Add MSI v1 token revocation support

6 participants

@gladjohn @bgavrilMS @rayluo @neha-bhargava @GladwinJohnson