MSI v1 token revocation specification #5137
+86
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # MSAL Support for MSI v1 Token Revocation and Capabilities | ||
|
|
||
| This specification describes **two optional parameters** that MSAL can send to the **MSI v1 endpoint** (e.g., `http://169.254.169.254/metadata/identity/oauth2/token`) when acquiring tokens via **Managed Identity**. These parameters empower developers to control **token revocation** and specify **client capabilities** that might alter the token issuance behavior by Azure AD (ESTS). | ||
|
|
||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| When MSAL requests a token from the MSI v1 endpoint for resources like `https://management.azure.com/`, it typically reuses valid, locally cached tokens. However, certain scenarios require explicitly **ignoring** the cache or specifying **client capabilities** that Azure AD uses to enable or disable particular features. | ||
gladjohn marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| To address these scenarios, two **optional** query parameters can be included in the MSI v1 token request: | ||
|
|
||
| 1. **`bypass_cache`** | ||
| - Forces a token refresh if set to `true`. | ||
| 2. **`xms_cc`** | ||
| - Declares special client capabilities that Azure AD should consider (e.g., for advanced or “undo revocation” scenarios). | ||
|
|
||
| --- | ||
|
|
||
| ## 1. `bypass_cache` | ||
|
There was a problem hiding this comment. But this isn't signed off by Service Fabric? They want to know the exact token that needs to be invalidted. |
||
|
|
||
| ### Purpose | ||
|
|
||
| Allows the developer to **get a brand-new token** from Azure AD. When `bypass_cache=true`, MSAL will ignore any valid, cached token and ensure the MSI v1 endpoint fetches a **new** token from Azure AD rather than returning a cached one. | ||
|
|
||
| ### Behavior | ||
| - If set to `true`, MSAL will send `bypass_cache=true` to the MSI endpoint. | ||
| - If set to `false` or omitted, MSAL can return a cached token (if one exists and is still valid). | ||
|
|
||
| ### Use Cases | ||
| - **Token Revocation**: Ensures any previously revoked or invalidated token is not served from cache. | ||
|
|
||
| --- | ||
|
|
||
| ## 2. `xms_cc` | ||
|
|
||
| ### Purpose | ||
|
|
||
| Enables the developer to specify **client capabilities** in the token acquisition request. These capabilities are often used to unlock or disable specific features in Azure AD, such as handling specialized revocation scenarios. | ||
|
|
||
| ### Behavior | ||
| - The value is typically a comma-separated list of capability strings. | ||
| - MSAL sends `xms_cc` to the MSI v1 endpoint, which then relays these capabilities to Azure AD as part of a JSON-encoded `claims` parameter. | ||
|
|
||
| ### Use Cases | ||
| - **“Undo token revocation”** or other advanced features: By setting the required capabilities (`cp1`, etc.), MSAL can influence how Azure AD issues the token. | ||
|
|
||
| --- | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs more details on the E2E, i.e. how does token revocation happen? i.e. what script do I run as a tenant admin?