Added token revocation functionality to Managed Identity's App Service and Service Fabric sources #7679
+315
−71
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bgavrilMS
reviewed
Apr 3, 2025
lib/msal-node/test/client/ManagedIdentitySources/AppService.spec.ts
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Apr 3, 2025
bgavrilMS
reviewed
Apr 3, 2025
lib/msal-node/test/client/ManagedIdentitySources/AppService.spec.ts
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Apr 3, 2025
bgavrilMS
reviewed
Apr 4, 2025
lib/msal-node/test/client/ManagedIdentitySources/AppService.spec.ts
Outdated
Show resolved
Hide resolved
Robbie-Microsoft
commented
Apr 7, 2025
| @@ -176,6 +178,70 @@ describe("Acquires a token successfully via an App Service Managed Identity", () | |||
| }); | |||
| }); | |||
|
|
|||
| describe("Miscellaneous", () => { | |||
| test("ignores a cached token when claims are provided and the Managed Identity does support token revocation, and ensures the token revocation query parameter token_sha256_to_refresh was included in the network request to the Managed Identity", async () => { | |||
There was a problem hiding this comment.
Add test when just the capabilities are set and claims are not passed?
There was a problem hiding this comment.
Are you covering these test cases:
- When capabilities are set but no claims are passes, the capabilities should be passed to the endpoint. No refresh of cache on 2nd request when claims are not passed.
- When claims are passed but capabilities is not set, the cache is still refreshed and the claims are passed to the endpoint.
- When both are present, this you already have covered.
gladjohn
reviewed
Apr 10, 2025
| } from "../../utils/Constants.js"; | ||
| import { CryptoProvider } from "../../crypto/CryptoProvider.js"; | ||
| import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js"; | ||
| import { ManagedIdentityId } from "../../config/ManagedIdentityId.js"; | ||
| import { NodeStorage } from "../../cache/NodeStorage.js"; | ||
|
|
||
| // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity | ||
| const APP_SERVICE_MSI_API_VERSION: string = "2019-08-01"; | ||
| const APP_SERVICE_MSI_API_VERSION: string = "2025-03-30"; |
There was a problem hiding this comment.
Alternatively, remove the app service changes from this PR, and then we can merge it for Service Fabric. We will create a new PR later after app service deploys their token revocation support.
There was a problem hiding this comment.
@gladjohn Expected GA for App Service token revocation is 5/30? I will wait to merge until then if you can confirm.
There was a problem hiding this comment.
Expected GA for App Service token revocation is 5/30?
5/30 is availability of the feature in test ring.
There was a problem hiding this comment.
What is the timeline for it to be available in prod? I am expecting that we will not merge until this is available in prod.
gladjohn
approved these changes
Apr 10, 2025
| @@ -8,8 +8,11 @@ import { ManagedIdentityRequestParams } from "./ManagedIdentityRequestParams.js" | |||
|
|
|||
| /** | |||
| * ManagedIdentityRequest | |||
| * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true | |||
| * - resource - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default | |||
| * - clientCapabilities - an array of capabilities to be added to all network requests as part of the `xms_cc` claims request | |||
There was a problem hiding this comment.
Suggested change
| * - clientCapabilities - an array of capabilities to be added to all network requests as part of the `xms_cc` claims request | |
| * - clientCapabilities - an array of capabilities to be added to all network requests as part of the `xms_cc` claim |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Token Revocation spec