Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #7206

Closed
gladjohn opened this issue Jul 17, 2024 · 1 comment · Fixed by #7207
Closed

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #7206

gladjohn opened this issue Jul 17, 2024 · 1 comment · Fixed by #7207
Assignees
@Robbie-Microsoft
Labels
confidential-client Issues regarding ConfidentialClientApplications feature-unconfirmed more-information-needed Use this label when you are waiting on information from the issue creator msal-node Related to msal-node package msal-node-extensions Related to msal-node-extensions package

Comments

@gladjohn
Copy link

gladjohn commented Jul 17, 2024
edited
Loading

Core Library

MSAL Node (@azure/msal-node)

Wrapper Library

MSAL Node Extensions (@azure/msal-node-extensions)

Public or Confidential Client?

Confidential

Description

MSAL client type

Managed identity

Problem Statement

MSAL client type

Confidential

Problem Statement

Task type
Development

Description
Currently, MSAL with Managed Identity does not expose any API claims API. With CAE (Continuous Access Evaluation) being enabled by default, we need to implement a mechanism to bypass the cache if claims are detected in the token request.

Steps to Reproduce:

  • Enable CAE by default in MSAL with Managed Identity.
  • Make a token request with claims present.
  • By-pass cache when claims are present

note : msi v1 endpoint is unchanged so there is no need to pass any claims to the endpoint itself, this feature is done so MSAL will bypass the cache.

Observe that the cache is not bypassed, leading to potential stale token usage.

Expected Behavior:
When claims are present in the token request, the cache should be bypassed to ensure that the latest token is used, in line with CAE requirements.

Proposed solution

  • Expose the claims API in MSAL for MI
  • Expose Claims to MI Assertion Provider for FIC

Alternatives

No response

Source

Internal (Microsoft)
@gladjohn gladjohn added question Customer is asking for a clarification, use case or information. feature-unconfirmed labels Jul 17, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jul 17, 2024
@github-actions GitHub Actions
Copy link
Contributor

Invalid Issue Template:
Please update the original issue and make sure to fill out the entire issue template so we can better assist you.

@github-actions github-actions bot added more-information-needed Use this label when you are waiting on information from the issue creator confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package msal-node-extensions Related to msal-node-extensions package labels Jul 17, 2024
@Robbie-Microsoft Robbie-Microsoft self-assigned this Jul 17, 2024
@Robbie-Microsoft Robbie-Microsoft linked a pull request Jul 17, 2024 that will close this issue
Implemented functionality to skip the cache for MI when claims are provided #7207
Merged
@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jul 23, 2024
@AzureAD AzureAD deleted a comment from gladjohn Jul 25, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the no-issue-activity Issue author has not responded in 5 days label Jul 31, 2024
@Robbie-Microsoft Robbie-Microsoft removed question Customer is asking for a clarification, use case or information. more-information-needed Use this label when you are waiting on information from the issue creator no-issue-activity Issue author has not responded in 5 days msal-node-extensions Related to msal-node-extensions package Needs: Author Feedback Awaiting response from issue author labels Jul 31, 2024
@github-actions github-actions bot added more-information-needed Use this label when you are waiting on information from the issue creator msal-node-extensions Related to msal-node-extensions package labels Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Robbie-Microsoft Robbie-Microsoft

Labels
confidential-client Issues regarding ConfidentialClientApplications feature-unconfirmed more-information-needed Use this label when you are waiting on information from the issue creator msal-node Related to msal-node package msal-node-extensions Related to msal-node-extensions package
Projects
None yet
Milestone
No milestone
2 participants
@Robbie-Microsoft @gladjohn