Added token revocation functionality to Managed Identity's App Service and Service Fabric sources

change/@azure-msal-node-870e01a0-ed8b-4e52-8367-c05200d113c5.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Added token revocation functionality to Managed Identity's App Service and Service Fabric Sources #7679",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-node/apiReview/msal-node.api.md

@@ -397,6 +397,7 @@ export class ManagedIdentityApplication {
 
 // @public (undocumented)
 export type ManagedIdentityConfiguration = {
+    clientCapabilities?: Array<string>;
     managedIdentityIdParams?: ManagedIdentityIdParams;
     system?: NodeSystemOptions;
 };

lib/msal-node/src/client/ManagedIdentityApplication.ts

@@ -35,6 +35,13 @@ import {
     DEFAULT_AUTHORITY_FOR_MANAGED_IDENTITY,
     ManagedIdentitySourceNames,
 } from "../utils/Constants.js";
+import { ManagedIdentityId } from "../config/ManagedIdentityId.js";
+
+const SOURCES_THAT_SUPPORT_TOKEN_REVOCATION: Array<ManagedIdentitySourceNames> =
+    [
+        ManagedIdentitySourceNames.APP_SERVICE,
+        ManagedIdentitySourceNames.SERVICE_FABRIC,
+    ];
 
 /**
  * Class to initialize a managed identity and identify the service
@@ -141,14 +148,12 @@ export class ManagedIdentityApplication {
             ],
             authority: this.fakeAuthority.canonicalAuthority,
             correlationId: this.cryptoProvider.createNewGuid(),
+            claims: managedIdentityRequestParams.claims,
+            clientCapabilities: this.config.clientCapabilities,
         };
 
-        if (
-            managedIdentityRequestParams.claims ||
-            managedIdentityRequest.forceRefresh
-        ) {
-            // make a network call to the managed identity source
-            return this.managedIdentityClient.sendManagedIdentityTokenRequest(
+        if (managedIdentityRequest.forceRefresh) {
+            return this.acquireTokenFromManagedIdentity(
                 managedIdentityRequest,
                 this.config.managedIdentityId,
                 this.fakeAuthority
@@ -164,16 +169,47 @@ export class ManagedIdentityApplication {
                 ManagedIdentityApplication.nodeStorage as NodeStorage
             );
 
+        /*
+         * Check if claims are present in the managed identity request.
+         * If so, the cached token will not be used.
+         */
+        if (managedIdentityRequest.claims) {
+            const sourceName: ManagedIdentitySourceNames =
+                this.managedIdentityClient.getManagedIdentitySource();
+
+            /*
+             * Check if there is a cached token and if the Managed Identity source supports token revocation.
+             * If so, hash the cached access token and add it to the request.
+             */
+            if (
+                cachedAuthenticationResult &&
+                SOURCES_THAT_SUPPORT_TOKEN_REVOCATION.includes(sourceName)
+            ) {
+                const revokedTokenSha256Hash: string =
+                    await this.cryptoProvider.hashString(
+                        cachedAuthenticationResult.accessToken
+                    );
+                managedIdentityRequest.revokedTokenSha256Hash =
+                    revokedTokenSha256Hash;
+            }
+
+            return this.acquireTokenFromManagedIdentity(
+                managedIdentityRequest,
+                this.config.managedIdentityId,
+                this.fakeAuthority
+            );
+        }
+
         if (cachedAuthenticationResult) {
             // if the token is not expired but must be refreshed; get a new one in the background
             if (lastCacheOutcome === CacheOutcome.PROACTIVELY_REFRESHED) {
                 this.logger.info(
                     "ClientCredentialClient:getCachedAuthenticationResult - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed."
                 );
 
-                // make a network call to the managed identity source; refresh the access token in the background
+                // force refresh; will run in the background
                 const refreshAccessToken = true;
-                await this.managedIdentityClient.sendManagedIdentityTokenRequest(
+                await this.acquireTokenFromManagedIdentity(
                     managedIdentityRequest,
                     this.config.managedIdentityId,
                     this.fakeAuthority,
@@ -183,15 +219,39 @@ export class ManagedIdentityApplication {
 
             return cachedAuthenticationResult;
         } else {
-            // make a network call to the managed identity source
-            return this.managedIdentityClient.sendManagedIdentityTokenRequest(
+            return this.acquireTokenFromManagedIdentity(
                 managedIdentityRequest,
                 this.config.managedIdentityId,
                 this.fakeAuthority
             );
         }
     }
 
+    /**
+     * Acquires a token from a managed identity endpoint.
+     *
+     * @param managedIdentityRequest - The request object containing parameters for the managed identity token request.
+     * @param managedIdentityId - The identifier for the managed identity (e.g., client ID or resource ID).
+     * @param fakeAuthority - A placeholder authority used for the token request.
+     * @param refreshAccessToken - Optional flag indicating whether to force a refresh of the access token.
+     * @returns A promise that resolves to an {@link AuthenticationResult} containing the acquired token and related information.
+     * @throws {@link AuthenticationError} if the token acquisition fails.
+     */
+    private async acquireTokenFromManagedIdentity(
+        managedIdentityRequest: ManagedIdentityRequest,
+        managedIdentityId: ManagedIdentityId,
+        fakeAuthority: Authority,
+        refreshAccessToken?: boolean
+    ): Promise<AuthenticationResult> {
+        // make a network call to the managed identity
+        return this.managedIdentityClient.sendManagedIdentityTokenRequest(
+            managedIdentityRequest,
+            managedIdentityId,
+            fakeAuthority,
+            refreshAccessToken
+        );
+    }
+
     /**
      * Determine the Managed Identity Source based on available environment variables. This API is consumed by Azure Identity SDK.
      * @returns ManagedIdentitySourceNames - The Managed Identity source's name

lib/msal-node/src/client/ManagedIdentitySources/AppService.ts

@@ -7,20 +7,19 @@ import { INetworkModule, Logger } from "@azure/msal-common/node";
 import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import {
     HttpMethod,
-    APP_SERVICE_SECRET_HEADER_NAME,
-    API_VERSION_QUERY_PARAMETER_NAME,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentitySourceNames,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
+    ManagedIdentityHeaders,
 } from "../../utils/Constants.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
 import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 
 // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-const APP_SERVICE_MSI_API_VERSION: string = "2019-08-01";
+const APP_SERVICE_MSI_API_VERSION: string = "2025-03-30";
 
 /**
  * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AppServiceManagedIdentitySource.cs
@@ -114,11 +113,12 @@ export class AppService extends BaseManagedIdentitySource {
                 this.identityEndpoint
             );
 
-        request.headers[APP_SERVICE_SECRET_HEADER_NAME] = this.identityHeader;
+        request.headers[ManagedIdentityHeaders.APP_SERVICE_SECRET_HEADER_NAME] =
+            this.identityHeader;
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
             APP_SERVICE_MSI_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (

lib/msal-node/src/client/ManagedIdentitySources/AzureArc.ts

@@ -22,15 +22,13 @@ import {
     createManagedIdentityError,
 } from "../../error/ManagedIdentityError.js";
 import {
-    API_VERSION_QUERY_PARAMETER_NAME,
-    AUTHORIZATION_HEADER_NAME,
     AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES,
     HttpMethod,
-    METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
+    ManagedIdentityHeaders,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
 } from "../../utils/Constants.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import {
@@ -201,11 +199,11 @@ export class AzureArc extends BaseManagedIdentitySource {
                 this.identityEndpoint.replace("localhost", "127.0.0.1")
             );
 
-        request.headers[METADATA_HEADER_NAME] = "true";
+        request.headers[ManagedIdentityHeaders.METADATA_HEADER_NAME] = "true";
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
             ARC_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         // bodyParameters calculated in BaseManagedIdentity.acquireTokenWithManagedIdentity
@@ -303,7 +301,9 @@ export class AzureArc extends BaseManagedIdentitySource {
             this.logger.info(
                 `[Managed Identity] Adding authorization header to the request.`
             );
-            networkRequest.headers[AUTHORIZATION_HEADER_NAME] = authHeaderValue;
+            networkRequest.headers[
+                ManagedIdentityHeaders.AUTHORIZATION_HEADER_NAME
+            ] = authHeaderValue;
 
             try {
                 retryResponse =

lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts

@@ -24,7 +24,11 @@ import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
 import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import { ManagedIdentityRequest } from "../../request/ManagedIdentityRequest.js";
-import { HttpMethod, ManagedIdentityIdType } from "../../utils/Constants.js";
+import {
+    HttpMethod,
+    ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
+} from "../../utils/Constants.js";
 import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityTokenResponse.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import {
@@ -146,6 +150,29 @@ export abstract class BaseManagedIdentitySource {
                 managedIdentityId
             );
 
+        if (managedIdentityRequest.revokedTokenSha256Hash) {
+            this.logger.info(
+                `[Managed Identity] The following claims are present in the request: ${managedIdentityRequest.claims}`
+            );
+
+            networkRequest.queryParameters[
+                ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH
+            ] = managedIdentityRequest.revokedTokenSha256Hash;
+        }
+
+        if (managedIdentityRequest.clientCapabilities?.length) {
+            const clientCapabilities: string =
+                managedIdentityRequest.clientCapabilities.toString();
+
+            this.logger.info(
+                `[Managed Identity] The following client capabilities are present in the request: ${clientCapabilities}`
+            );
+
+            networkRequest.queryParameters[
+                ManagedIdentityQueryParameters.XMS_CC
+            ] = clientCapabilities;
+        }
+
         const headers: Record<string, string> = networkRequest.headers;
         headers[HeaderNames.CONTENT_TYPE] = Constants.URL_FORM_CONTENT_TYPE;
 

lib/msal-node/src/client/ManagedIdentitySources/CloudShell.ts

@@ -10,11 +10,11 @@ import { NodeStorage } from "../../cache/NodeStorage.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import {
     HttpMethod,
-    METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
+    ManagedIdentityHeaders,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
 } from "../../utils/Constants.js";
 import {
     ManagedIdentityErrorCodes,
@@ -109,9 +109,9 @@ export class CloudShell extends BaseManagedIdentitySource {
                 this.msiEndpoint
             );
 
-        request.headers[METADATA_HEADER_NAME] = "true";
+        request.headers[ManagedIdentityHeaders.METADATA_HEADER_NAME] = "true";
 
-        request.bodyParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.bodyParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         return request;

lib/msal-node/src/client/ManagedIdentitySources/Imds.ts

@@ -9,13 +9,12 @@ import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRe
 import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import {
-    API_VERSION_QUERY_PARAMETER_NAME,
     HttpMethod,
-    METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
+    ManagedIdentityHeaders,
     ManagedIdentityIdType,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
 } from "../../utils/Constants.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import { ImdsRetryPolicy } from "../../retry/ImdsRetryPolicy.js";
@@ -112,11 +111,11 @@ export class Imds extends BaseManagedIdentitySource {
                 this.identityEndpoint
             );
 
-        request.headers[METADATA_HEADER_NAME] = "true";
+        request.headers[ManagedIdentityHeaders.METADATA_HEADER_NAME] = "true";
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
             IMDS_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (

lib/msal-node/src/client/ManagedIdentitySources/MachineLearning.ts

@@ -7,13 +7,11 @@ import { INetworkModule, Logger } from "@azure/msal-common/node";
 import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import {
     HttpMethod,
-    API_VERSION_QUERY_PARAMETER_NAME,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentitySourceNames,
     ManagedIdentityIdType,
-    METADATA_HEADER_NAME,
-    ML_AND_SF_SECRET_HEADER_NAME,
+    ManagedIdentityQueryParameters,
+    ManagedIdentityHeaders,
 } from "../../utils/Constants.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
@@ -107,12 +105,13 @@ export class MachineLearning extends BaseManagedIdentitySource {
                 this.msiEndpoint
             );
 
-        request.headers[METADATA_HEADER_NAME] = "true";
-        request.headers[ML_AND_SF_SECRET_HEADER_NAME] = this.secret;
+        request.headers[ManagedIdentityHeaders.METADATA_HEADER_NAME] = "true";
+        request.headers[ManagedIdentityHeaders.ML_AND_SF_SECRET_HEADER_NAME] =
+            this.secret;
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
             MACHINE_LEARNING_MSI_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (

lib/msal-node/src/client/ManagedIdentitySources/ServiceFabric.ts

@@ -10,13 +10,12 @@ import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 import { CryptoProvider } from "../../crypto/CryptoProvider.js";
 import {
-    API_VERSION_QUERY_PARAMETER_NAME,
     HttpMethod,
     ManagedIdentityEnvironmentVariableNames,
     ManagedIdentityIdType,
     ManagedIdentitySourceNames,
-    RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
-    ML_AND_SF_SECRET_HEADER_NAME,
+    ManagedIdentityQueryParameters,
+    ManagedIdentityHeaders,
 } from "../../utils/Constants.js";
 
 // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
@@ -131,11 +130,12 @@ export class ServiceFabric extends BaseManagedIdentitySource {
                 this.identityEndpoint
             );
 
-        request.headers[ML_AND_SF_SECRET_HEADER_NAME] = this.identityHeader;
+        request.headers[ManagedIdentityHeaders.ML_AND_SF_SECRET_HEADER_NAME] =
+            this.identityHeader;
 
-        request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.API_VERSION] =
             SERVICE_FABRIC_MSI_API_VERSION;
-        request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
+        request.queryParameters[ManagedIdentityQueryParameters.RESOURCE] =
             resource;
 
         if (