MSI v1 token revocation specification

[gladjohn]

This pull request adds documentation for MSAL support for MSI v1 token revocation and capabilities. It introduces two optional parameters that developers can use to control token revocation and specify client capabilities when acquiring tokens via Managed Identity.

Key changes include:

• Documentation Addition:
  • docs/msiv1_token_revocation.md: Added detailed documentation describing the bypass_cache and xms_cc parameters, their purposes, behaviors, and use cases.

[bgavrilMS]

No mapping between public APIs and the new MSI params.

[bgavrilMS]

But this isn't signed off by Service Fabric? They want to know the exact token that needs to be invalidted.

[bgavrilMS]

Not the design SF wanted.

[bgavrilMS]

Needs more details on the E2E, i.e. how does token revocation happen? i.e. what script do I run as a tenant admin?

[gladjohn]

Looks good Bogdan, do we need to create another spec for MIA changes to support this? I have PR out there, and I can modify it based on the details from the diagram. But adding a one line on MSI design will be good to have for clarity

[rayluo]

Based on the original CAE design, the WithClientCapabilities is a per-app parameter in MSAL. That is one of the reason why xms_cc should not be used in the second last arrow in both diagrams, otherwise it would force SFRP to create new CCA instance per request, which would be too inefficient.

In the SF's MSIv1 token revocation design, their protocol accepts the claims parameter (signed off by eSTS architect), and it does not accept an xms_cc as a standalone parameter (which is not in original CAE protocol either). So, MSAL's ManagedIdentityApplication can simply relays the incoming WithClaims to SF.

I proposed suggestions on diagrams, accordingly.

You may also refer to this feature request for the same project.

[rayluo]

Either simply remove xms_cc

Suggested change

	MSAL->>SF: 3. Call MITS_endpoint?xms_cc=cp1
	MSAL->>SF: 3. Call MITS_endpoint

or do it in the standard CAE way which is MSAL automatically converts xms_cc=cp1 into a claims={"access_token": {"xms_cc": {"values": ["cp1"]}}} and send that blob to the wire.

[bgavrilMS]

MSAL needs to have that claims and capabilities separately, as they have different behavior. claims bypases cache, cp does not.

[bgavrilMS]

Also, if memory serves, the call to MITS is a GET call. So the claims parameter could lead to an URL too long issue. Not sure if this is really a problem since it's ussually browsers that refuse long urls.