Merge branch 'main' into fengga/mac-broker

CHANGELOG.md

@@ -1,3 +1,8 @@
+4.67.2
+==========
+### Bug Fixes
+- Fixed an issue with Managed Identity source detection where Azure ML was prioritized incorrectly over Azure App Service, causing token acquisition failures. See [Bug #5077](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/5077)
+
 4.67.1
 ==========
 ### Bug Fixes

src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs

@@ -62,11 +62,7 @@ internal static ManagedIdentitySource GetManagedIdentitySource(ILoggerAdapter lo
             string imdsEndpoint = EnvironmentVariables.ImdsEndpoint;
             string podIdentityEndpoint = EnvironmentVariables.PodIdentityEndpoint;
 
-            if (!string.IsNullOrEmpty(msiSecretMachineLearning) && !string.IsNullOrEmpty(msiEndpoint))
-            {
-                return ManagedIdentitySource.MachineLearning;
-            }
-            else if (!string.IsNullOrEmpty(identityEndpoint) && !string.IsNullOrEmpty(identityHeader))
+            if (!string.IsNullOrEmpty(identityEndpoint) && !string.IsNullOrEmpty(identityHeader))
             {
                 if (!string.IsNullOrEmpty(identityServerThumbprint))
                 {
@@ -77,6 +73,10 @@ internal static ManagedIdentitySource GetManagedIdentitySource(ILoggerAdapter lo
                     return ManagedIdentitySource.AppService;
                 }
             }
+            else if (!string.IsNullOrEmpty(msiSecretMachineLearning) && !string.IsNullOrEmpty(msiEndpoint))
+            {
+                return ManagedIdentitySource.MachineLearning;
+            }
             else if (!string.IsNullOrEmpty(msiEndpoint))
             {
                 return ManagedIdentitySource.CloudShell;

tests/Microsoft.Identity.Test.Common/Core/Helpers/ManagedIdentityTestUtil.cs

@@ -66,6 +66,41 @@ public static void SetEnvironmentVariables(ManagedIdentitySource managedIdentity
             }
         }
 
+        /// <summary>
+        /// Sets environment variables for testing upgrade scenarios.
+        /// This method mimics a scenario where older environment variables
+        /// (e.g., MSI_ENDPOINT and MSI_SECRET) from previous versions of
+        /// App Service (2017) still exist after an upgrade to newer versions (2019).
+        /// It ensures that MSAL's Managed Identity source detection can correctly
+        /// handle both legacy and new variables.
+        /// </summary>
+        /// <param name="managedIdentitySource">
+        /// The type of managed identity source being tested (e.g., AppService, MachineLearning).
+        /// </param>
+        /// <param name="endpoint">
+        /// The endpoint URL to be set as part of the environment variables.
+        /// </param>
+        /// <param name="secret">
+        /// Optional: The secret value to be set (default is "secret").
+        /// </param>
+        /// <param name="thumbprint">
+        /// Optional: The certificate thumbprint to be set (default is "thumbprint").
+        /// </param>
+        internal static void SetUpgradeScenarioEnvironmentVariables(ManagedIdentitySource managedIdentitySource, string endpoint, string secret = "secret", string thumbprint = "thumbprint")
+        {
+            // Use the common method to set base environment variables
+            SetEnvironmentVariables(managedIdentitySource, endpoint, secret, thumbprint);
+
+            // Add upgrade-specific variables where needed
+            switch (managedIdentitySource)
+            {
+                case ManagedIdentitySource.AppService:
+                    Environment.SetEnvironmentVariable("MSI_ENDPOINT", endpoint);
+                    Environment.SetEnvironmentVariable("MSI_SECRET", secret);
+                    break;
+            }
+        }
+
         /// <summary>
         /// Create the MIA with the http proxy
         /// </summary>

tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/AppServiceTests.cs

@@ -20,6 +20,8 @@ namespace Microsoft.Identity.Test.Unit.ManagedIdentityTests
     public class AppServiceTests : TestBase
     {
         private const string AppService = "App Service";
+        internal const string AppServiceEndpoint = "http://127.0.0.1:41564/msi/token";
+        internal const string MachineLearningEndpoint = "http://localhost:7071/msi/token";
 
         [TestMethod]
         public async Task AppServiceInvalidEndpointAsync()
@@ -47,5 +49,23 @@ await mi.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
                 Assert.AreEqual(string.Format(CultureInfo.InvariantCulture, MsalErrorMessage.ManagedIdentityEndpointInvalidUriError, "IDENTITY_ENDPOINT", "127.0.0.1:41564/msi/token", AppService), ex.Message);
             }
         }
+
+        // Regression test for Bug ID #5077 - ManagedIdentityCredential authentication failed 
+        [DataTestMethod]
+        [DataRow("http://127.0.0.1:41564/msi/token/", ManagedIdentitySource.AppService, ManagedIdentitySource.AppService)]
+        [DataRow(AppServiceEndpoint, ManagedIdentitySource.AppService, ManagedIdentitySource.AppService)]
+        [DataRow(MachineLearningEndpoint, ManagedIdentitySource.MachineLearning, ManagedIdentitySource.MachineLearning)]
+        public void TestAppServiceUpgradeScenario(
+            string endpoint,
+            ManagedIdentitySource managedIdentitySource,
+            ManagedIdentitySource expectedManagedIdentitySource)
+        {
+            using (new EnvVariableContext())
+            {
+                SetUpgradeScenarioEnvironmentVariables(managedIdentitySource, endpoint);
+
+                Assert.AreEqual(expectedManagedIdentitySource, ManagedIdentityApplication.GetManagedIdentitySource());
+            }
+        }
     }
 }