AzureAD · Robbie-Microsoft · Nov 15, 2024 · Nov 15, 2024 · Nov 15, 2024 · Nov 15, 2024
diff --git a/change/@azure-msal-node-20888f8d-8ed5-4418-80dd-03944efa17c7.json b/change/@azure-msal-node-20888f8d-8ed5-4418-80dd-03944efa17c7.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Added token revocation functionality to managed identity (#7422)",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -389,6 +389,7 @@ export class ManagedIdentityApplication {
 
 // @public (undocumented)
 export type ManagedIdentityConfiguration = {
+    clientCapabilities?: Array<string>;
     managedIdentityIdParams?: ManagedIdentityIdParams;
     system?: NodeSystemOptions;
 };

@@ -140,6 +140,8 @@ export class ManagedIdentityApplication {
             ],
             authority: this.fakeAuthority.canonicalAuthority,
             correlationId: this.cryptoProvider.createNewGuid(),
+            claims: managedIdentityRequestParams.claims,
+            clientCapabilities: this.config.clientCapabilities,
         };
 
         if (

@@ -8,20 +8,17 @@ import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import {
     HttpMethod,
     APP_SERVICE_SECRET_HEADER_NAME,
-    API_VERSION_QUERY_PARAMETER_NAME,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
     ManagedIdentityEnvironmentVariableNames,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
     ManagedIdentityIdType,
+    MSI_V1_MIN_VERSION,
 } from "../../utils/Constants.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
 import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 
-// MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-const APP_SERVICE_MSI_API_VERSION: string = "2019-08-01";
-
 /**
  * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AppServiceManagedIdentitySource.cs
  */
@@ -107,9 +104,9 @@ export class AppService extends BaseManagedIdentitySource {
 
         request.headers[APP_SERVICE_SECRET_HEADER_NAME] = this.identityHeader;
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
-            APP_SERVICE_MSI_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
+            MSI_V1_MIN_VERSION;
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (

@@ -22,15 +22,15 @@ import {
     createManagedIdentityError,
 } from "../../error/ManagedIdentityError.js";
 import {
-    API_VERSION_QUERY_PARAMETER_NAME,
     AUTHORIZATION_HEADER_NAME,
     AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES,
     HttpMethod,
     METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
+    MSI_V1_MIN_VERSION,
 } from "../../utils/Constants.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import {
@@ -43,7 +43,6 @@ import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityToke
 import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
 import path from "path";
 
-export const ARC_API_VERSION: string = "2019-11-01";
 export const DEFAULT_AZURE_ARC_IDENTITY_ENDPOINT: string =
     "http://127.0.0.1:40342/metadata/identity/oauth2/token";
 const HIMDS_EXECUTABLE_HELPER_STRING = "N/A: himds executable exists";
@@ -194,9 +193,9 @@ export class AzureArc extends BaseManagedIdentitySource {
 
         request.headers[METADATA_HEADER_NAME] = "true";
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
-            ARC_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
+            MSI_V1_MIN_VERSION;
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         // bodyParameters calculated in BaseManagedIdentity.acquireTokenWithManagedIdentity

@@ -24,7 +24,11 @@ import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
 import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import { ManagedIdentityRequest } from "../../request/ManagedIdentityRequest.js";
-import { HttpMethod, ManagedIdentityIdType } from "../../utils/Constants.js";
+import {
+    HttpMethod,
+    ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
+} from "../../utils/Constants.js";
 import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityTokenResponse.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import {
@@ -133,6 +137,31 @@ export abstract class BaseManagedIdentitySource {
                 managedIdentityId
             );
 
+        // if claims are present, the MSI will get a new token
+        if (managedIdentityRequest.claims) {
+            this.logger.info(
+                `[Managed Identity] The following claims are present in the request: ${managedIdentityRequest.claims}`
+            );
+
+            networkRequest.queryParameters[
+                ManagedIdentityQueryParameters.BYPASS_CACHE
+            ] = "true";
+        }
+
+        // if client capabilities are present, send them to the MSI
+        if (managedIdentityRequest.clientCapabilities?.length) {
+            const clientCapabilities: string =
+                managedIdentityRequest.clientCapabilities.toString();
+
+            this.logger.info(
+                `[Managed Identity] The following claims are present in the request: ${clientCapabilities}`
+            );
+
+            networkRequest.queryParameters[
+                ManagedIdentityQueryParameters.XMS_CC
+            ] = clientCapabilities;
+        }
+
         const headers: Record<string, string> = networkRequest.headers;
         headers[HeaderNames.CONTENT_TYPE] = Constants.URL_FORM_CONTENT_TYPE;
 

@@ -13,8 +13,8 @@ import {
     METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
 } from "../../utils/Constants.js";
 import {
     ManagedIdentityErrorCodes,
@@ -102,7 +102,7 @@ export class CloudShell extends BaseManagedIdentitySource {
 
         request.headers[METADATA_HEADER_NAME] = "true";
 
-        request.bodyParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.bodyParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         return request;

@@ -9,22 +9,20 @@ import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRe
 import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import {
-    API_VERSION_QUERY_PARAMETER_NAME,
     HttpMethod,
     METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
+    MSI_V1_MIN_VERSION,
 } from "../../utils/Constants.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 
 // IMDS constants. Docs for IMDS are available here https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
 const IMDS_TOKEN_PATH: string = "/metadata/identity/oauth2/token";
 const DEFAULT_IMDS_ENDPOINT: string = `http://169.254.169.254${IMDS_TOKEN_PATH}`;
 
-const IMDS_API_VERSION: string = "2018-02-01";
-
 // Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ImdsManagedIdentitySource.cs
 export class Imds extends BaseManagedIdentitySource {
     private identityEndpoint: string;
@@ -104,9 +102,9 @@ export class Imds extends BaseManagedIdentitySource {
 
         request.headers[METADATA_HEADER_NAME] = "true";
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
-            IMDS_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
+            MSI_V1_MIN_VERSION;
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (

@@ -10,18 +10,15 @@ import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import {
-    API_VERSION_QUERY_PARAMETER_NAME,
     HttpMethod,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
+    MSI_V1_MIN_VERSION,
     SERVICE_FABRIC_SECRET_HEADER_NAME,
 } from "../../utils/Constants.js";
 
-// MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-const SERVICE_FABRIC_MSI_API_VERSION: string = "2019-07-01-preview";
-
 /**
  * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ServiceFabricManagedIdentitySource.cs
  */
@@ -125,9 +122,9 @@ export class ServiceFabric extends BaseManagedIdentitySource {
         request.headers[SERVICE_FABRIC_SECRET_HEADER_NAME] =
             this.identityHeader;
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
-            SERVICE_FABRIC_MSI_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
+            MSI_V1_MIN_VERSION;
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (

@@ -136,6 +136,7 @@ export type ManagedIdentityIdParams = {
 
 /** @public */
 export type ManagedIdentityConfiguration = {
+    clientCapabilities?: Array<string>;
     managedIdentityIdParams?: ManagedIdentityIdParams;
     system?: NodeSystemOptions;
 };
@@ -247,13 +248,15 @@ export function buildAppConfiguration({
 
 /** @internal */
 export type ManagedIdentityNodeConfiguration = {
+    clientCapabilities: Array<string>;
     managedIdentityId: ManagedIdentityId;
     system: Required<
         Pick<NodeSystemOptions, "loggerOptions" | "networkClient">
     >;
 };
 
 export function buildManagedIdentityConfiguration({
+    clientCapabilities,
     managedIdentityIdParams,
     system,
 }: ManagedIdentityConfiguration): ManagedIdentityNodeConfiguration {
@@ -290,6 +293,7 @@ export function buildManagedIdentityConfiguration({
     }
 
     return {
+        clientCapabilities: clientCapabilities || [],
         managedIdentityId: managedIdentityId,
         system: {
             loggerOptions,

@@ -8,8 +8,9 @@ import { ManagedIdentityRequestParams } from "./ManagedIdentityRequestParams.js"
 
 /**
  * ManagedIdentityRequest
- * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
- * - resource  - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
+ * - clientCapabilities - an array of client capabilities to be sent to ESTS
  */
 export type ManagedIdentityRequest = ManagedIdentityRequestParams &
-    CommonClientCredentialRequest;
+    CommonClientCredentialRequest & {
+        clientCapabilities?: Array<string>;
+    };
@@ -10,11 +10,22 @@ export const AUTHORIZATION_HEADER_NAME: string = "Authorization";
 export const METADATA_HEADER_NAME: string = "Metadata";
 export const APP_SERVICE_SECRET_HEADER_NAME: string = "X-IDENTITY-HEADER";
 export const SERVICE_FABRIC_SECRET_HEADER_NAME: string = "secret";
-export const API_VERSION_QUERY_PARAMETER_NAME: string = "api-version";
-export const RESOURCE_BODY_OR_QUERY_PARAMETER_NAME: string = "resource";
 export const DEFAULT_MANAGED_IDENTITY_ID = "system_assigned_managed_identity";
 export const MANAGED_IDENTITY_DEFAULT_TENANT = "managed_identity";
 export const DEFAULT_AUTHORITY_FOR_MANAGED_IDENTITY = `https://login.microsoftonline.com/${MANAGED_IDENTITY_DEFAULT_TENANT}/`;
+export const MSI_V1_MIN_VERSION = "2024-09-30";
+
+/**
+ * Managed Identity Query Parameters
+ */
+export const ManagedIdentityQueryParameters = {
+    API_VERSION: "api-version",
+    BYPASS_CACHE: "bypass_cache",
+    RESOURCE: "resource",
+    XMS_CC: "xms_cc",
+} as const;
+export type ManagedIdentityQueryParameters =
+    (typeof ManagedIdentityQueryParameters)[keyof typeof ManagedIdentityQueryParameters];
 
 /**
  * Managed Identity Environment Variable Names

@@ -28,6 +28,7 @@ import {
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentitySourceNames,
 } from "../../../src/utils/Constants.js";
+import { checkMSIV1MinimumVersion } from "../../utils/ManagedIdentity.js";
 
 describe("Acquires a token successfully via an App Service Managed Identity", () => {
     beforeAll(() => {
@@ -50,6 +51,8 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
         // reset static variables after each test
         delete ManagedIdentityClient["identitySource"];
         delete ManagedIdentityApplication["nodeStorage"];
+
+        jest.restoreAllMocks();
     });
 
     test("acquires a User Assigned Client Id token", async () => {
@@ -80,7 +83,12 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
             );
         });
 
-        test("acquires a token", async () => {
+        test("acquires a token and ensures the MSI V1 API minimum version is used", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             const networkManagedIdentityResult: AuthenticationResult =
                 await managedIdentityApplication.acquireToken(
                     managedIdentityRequestParams
@@ -90,6 +98,9 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const url: string = sendGetRequestAsyncSpy.mock.lastCall[0];
+            checkMSIV1MinimumVersion(url);
         });
 
         test("returns an already acquired token from the cache", async () => {
@@ -154,8 +165,6 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
                     MANAGED_IDENTITY_APP_SERVICE_NETWORK_REQUEST_400_ERROR.correlation_id as string
                 )
             ).toBe(true);
-
-            jest.restoreAllMocks();
         });
     });
 });