Skip to content

Add Service Fabric token revocation support #5421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 8, 2025
Merged

Add Service Fabric token revocation support #5421

merged 4 commits into from
Aug 8, 2025

Conversation

@gladjohn
Copy link
Contributor

@gladjohn gladjohn commented Aug 4, 2025
edited
Loading

Fixes #5420

Changes proposed in this request
This pull request introduces support for claims and revoked token handling in Managed Identity authentication, along with improvements to token caching logic and query parameter parsing. The main changes include new properties for claims and revoked token hash, enhanced cache bypass logic to handle claims and force refresh, and the ability to pass client capabilities and revoked token hashes to Managed Identity endpoints. Additionally, the parsing of key-value query strings is made more robust to handle edge cases.

Managed Identity Claims and Revoked Token Support

  • Added Claims and RevokedTokenHash properties to AcquireTokenForManagedIdentityParameters, and updated logging to reflect their usage. [1] [2]
  • Implemented logic in ManagedIdentityAuthRequest to bypass cache when claims are present, compute hash of revoked tokens, and pass this information to the endpoint, ensuring correct token issuance in claims-based scenarios. [1] [2] [3] [4]

Client Capabilities and Claims Integration

  • Added method to ManagedIdentityRequest to include client capabilities (xms_cc) and revoked token hash (token_sha256_to_refresh) in requests; integrated this in AbstractManagedIdentity for sources that support claims and capabilities. [1] [2]
  • Introduced ManagedIdentitySourceExtensions to track which Managed Identity sources support claims and capabilities.

Key-Value Query String Parsing Improvements

  • Improved CoreHelpers.ParseKeyValueList to correctly handle values containing =, such as base64-encoded strings, by splitting only on the first = character. Also enhanced trimming and logging. [1] [2]

Test and Dependency Updates

  • Updated test helpers to use TestConstants.ATSecret for access tokens and added flags for capability and claims support in mock handlers. [1] [2] [3]

Dependency Injection and Usability

  • Passed ICryptographyManager via ManagedIdentityAuthRequest constructor for hash computation, and updated dependencies in Managed Identity source files. [1] [2] [3] [4] [5] [6]

Testing

  • unit testing
  • manual testing in service fabric cluster

Performance impact
none

Documentation

  • All relevant documentation is updated.

@gladjohn gladjohn requested a review from a team as a code owner August 4, 2025 17:00
@gladjohn gladjohn requested a review from trwalke August 6, 2025 15:44
@gladjohn gladjohn force-pushed the gladjohn/sa-ga branch 2 times, most recently from 15fc53c to 4d4728e Compare August 7, 2025 02:35
@gladjohn gladjohn merged commit 10ff824 into main Aug 8, 2025
11 checks passed
@gladjohn gladjohn deleted the gladjohn/sa-ga branch August 8, 2025 19:47
This was referenced Aug 16, 2025
Closed
Merged
This was referenced Sep 8, 2025
Closed
Closed
Closed
Closed
Merged
Closed
Closed
This was referenced Sep 15, 2025
Closed
Closed
This was referenced Sep 25, 2025
Closed
Closed
Closed
Open
Closed
Closed
Closed
Closed
@dependabot dependabot bot mentioned this pull request Oct 6, 2025
Closed
This was referenced Oct 13, 2025
Open
Closed
Closed
This was referenced Oct 24, 2025
Closed
Open
Merged
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trwalke trwalke trwalke left review comments

@neha-bhargava neha-bhargava neha-bhargava approved these changes

@Avery-Dunn Avery-Dunn Avery-Dunn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Engineering task] Token Revocation in Service Fabric

5 participants

@gladjohn @trwalke @neha-bhargava @Avery-Dunn @GladwinJohnson