AzureAD · Robbie-Microsoft · Apr 2, 2025 · Apr 2, 2025 · Apr 2, 2025 · Apr 2, 2025
@@ -185,12 +185,12 @@ export class ManagedIdentityApplication {
                 cachedAuthenticationResult &&
                 SOURCES_THAT_SUPPORT_TOKEN_REVOCATION.includes(sourceName)
             ) {
-                const accessTokenSha256Hash: string =
+                const revokedTokenSha256Hash: string =
                     await this.cryptoProvider.hashString(
                         cachedAuthenticationResult.accessToken
                     );
-                managedIdentityRequest.accessTokenSha256Hash =
-                    accessTokenSha256Hash;
+                managedIdentityRequest.revokedTokenSha256Hash =
+                    revokedTokenSha256Hash;
             }
 
             return this.acquireTokenFromManagedIdentity(

@@ -150,14 +150,14 @@ export abstract class BaseManagedIdentitySource {
                 managedIdentityId
             );
 
-        if (managedIdentityRequest.accessTokenSha256Hash) {
+        if (managedIdentityRequest.revokedTokenSha256Hash) {
             this.logger.info(
                 `[Managed Identity] The following claims are present in the request: ${managedIdentityRequest.claims}`
             );
 
             networkRequest.queryParameters[
                 ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH
-            ] = managedIdentityRequest.accessTokenSha256Hash;
+            ] = managedIdentityRequest.revokedTokenSha256Hash;
         }
 
         if (managedIdentityRequest.clientCapabilities?.length) {

@@ -8,11 +8,11 @@ import { ManagedIdentityRequestParams } from "./ManagedIdentityRequestParams.js"
 
 /**
  * ManagedIdentityRequest
- * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
- * - resource  - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
+ * - clientCapabilities      - an array of capabilities to be added to all network requests as part of the `xms_cc` claims request
+ * - revokedTokenSha256Hash  - a SHA256 hash of the token to be revoked. The managed identity will revoke the token based on a SHA256 hash of the token, not the token itself. This is to prevent the token from being leaked in transit.
  */
 export type ManagedIdentityRequest = ManagedIdentityRequestParams &
     CommonClientCredentialRequest & {
         clientCapabilities?: Array<string>;
-        accessTokenSha256Hash?: string;
+        revokedTokenSha256Hash?: string;
     };
@@ -137,7 +137,7 @@ describe("ConfidentialClientApplication", () => {
 
                 const config: Configuration =
                     await ClientTestUtils.createTestConfidentialClientConfiguration(
-                        ["cp1", "cp2"],
+                        CAE_CONSTANTS.CLIENT_CAPABILITIES,
                         mockNetworkClient(
                             {}, // not needed
                             CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT

@@ -5,6 +5,7 @@
 
 import { ManagedIdentityApplication } from "../../../src/client/ManagedIdentityApplication.js";
 import {
+    CAE_CONSTANTS,
     DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT,
     DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT,
     MANAGED_IDENTITY_APP_SERVICE_NETWORK_REQUEST_400_ERROR,
@@ -33,13 +34,17 @@ import {
     ManagedIdentitySourceNames,
 } from "../../../src/utils/Constants.js";
 import { ManagedIdentityUserAssignedIdQueryParameterNames } from "../../../src/client/ManagedIdentitySources/BaseManagedIdentitySource.js";
+import { CryptoProvider } from "../../../src/index.js";
 
 describe("Acquires a token successfully via an App Service Managed Identity", () => {
+    let cryptoProvider: CryptoProvider;
     beforeAll(() => {
         process.env[ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT] =
             "fake_IDENTITY_ENDPOINT";
         process.env[ManagedIdentityEnvironmentVariableNames.IDENTITY_HEADER] =
             "fake_IDENTITY_HEADER";
+
+        cryptoProvider = new CryptoProvider();
     });
 
     afterAll(() => {
@@ -179,22 +184,18 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
     });
 
     describe("Miscellaneous", () => {
-        let managedIdentityApplication: ManagedIdentityApplication;
-        beforeEach(() => {
-            managedIdentityApplication = new ManagedIdentityApplication(
-                systemAssignedConfig
-            );
-            expect(managedIdentityApplication.getManagedIdentitySource()).toBe(
-                ManagedIdentitySourceNames.APP_SERVICE
-            );
-        });
-
-        test("ignores a cached token when claims are provided, and the Managed Identity does support token revocation, and ensures the token revocation query parameter token_sha256_to_refresh was included in the network request to the Managed Identity", async () => {
+        test("ignores a cached token when claims are provided and the Managed Identity does support token revocation, and ensures the token revocation query parameter token_sha256_to_refresh was included in the network request to the Managed Identity", async () => {
             const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
                 networkClient,
                 <any>"sendGetRequestAsync"
             );
 
+            const managedIdentityApplication: ManagedIdentityApplication =
+                new ManagedIdentityApplication({
+                    ...systemAssignedConfig,
+                    clientCapabilities: CAE_CONSTANTS.CLIENT_CAPABILITIES,
+                });
+
             let networkManagedIdentityResult: AuthenticationResult =
                 await managedIdentityApplication.acquireToken({
                     resource: MANAGED_IDENTITY_RESOURCE,
@@ -204,6 +205,15 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
 
+            expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(1);
+            const firstNetworkRequestUrlParams: URLSearchParams =
+                new URLSearchParams(sendGetRequestAsyncSpy.mock.lastCall[0]);
+            expect(
+                firstNetworkRequestUrlParams.get(
+                    ManagedIdentityQueryParameters.XMS_CC
+                )
+            ).toEqual(CAE_CONSTANTS.CLIENT_CAPABILITIES.toString());
+
             const cachedManagedIdentityResult: AuthenticationResult =
                 await managedIdentityApplication.acquireToken({
                     resource: MANAGED_IDENTITY_RESOURCE,
@@ -212,6 +222,7 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
             expect(cachedManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+            expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(1);
 
             networkManagedIdentityResult =
                 await managedIdentityApplication.acquireToken({
@@ -224,12 +235,17 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
             );
 
             expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(2);
-            const url: URLSearchParams = new URLSearchParams(
-                sendGetRequestAsyncSpy.mock.lastCall[0]
-            );
+            const secondNetworkRequestUrlParams: URLSearchParams =
+                new URLSearchParams(sendGetRequestAsyncSpy.mock.lastCall[0]);
             expect(
-                url.has(ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH)
-            ).toBe(true);
+                secondNetworkRequestUrlParams.get(
+                    ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH
+                )
+            ).toEqual(
+                await cryptoProvider.hashString(
+                    DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+                )
+            );
         });
     });
 

@@ -6,6 +6,7 @@
 import { ManagedIdentityApplication } from "../../../src/client/ManagedIdentityApplication.js";
 import { ManagedIdentityConfiguration } from "../../../src/config/Configuration.js";
 import {
+    CAE_CONSTANTS,
     DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT,
     DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT,
     IMDS_EXPONENTIAL_STRATEGY_MAX_RETRIES_IN_MS,
@@ -680,26 +681,42 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
                 <any>"sendGetRequestAsync"
             );
 
+            const managedIdentityApplication: ManagedIdentityApplication =
+                new ManagedIdentityApplication({
+                    ...systemAssignedConfig,
+                    clientCapabilities: CAE_CONSTANTS.CLIENT_CAPABILITIES,
+                });
+
             let networkManagedIdentityResult: AuthenticationResult =
-                await systemAssignedManagedIdentityApplication.acquireToken({
+                await managedIdentityApplication.acquireToken({
                     resource: MANAGED_IDENTITY_RESOURCE,
                 });
             expect(networkManagedIdentityResult.fromCache).toBe(false);
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
 
+            expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(1);
+            const firstNetworkRequestUrlParams: URLSearchParams =
+                new URLSearchParams(sendGetRequestAsyncSpy.mock.lastCall[0]);
+            expect(
+                firstNetworkRequestUrlParams.get(
+                    ManagedIdentityQueryParameters.XMS_CC
+                )
+            ).toEqual(CAE_CONSTANTS.CLIENT_CAPABILITIES.toString());
+
             const cachedManagedIdentityResult: AuthenticationResult =
-                await systemAssignedManagedIdentityApplication.acquireToken({
+                await managedIdentityApplication.acquireToken({
                     resource: MANAGED_IDENTITY_RESOURCE,
                 });
             expect(cachedManagedIdentityResult.fromCache).toBe(true);
             expect(cachedManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+            expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(1);
 
             networkManagedIdentityResult =
-                await systemAssignedManagedIdentityApplication.acquireToken({
+                await managedIdentityApplication.acquireToken({
                     claims: TEST_CONFIG.CLAIMS,
                     resource: MANAGED_IDENTITY_RESOURCE,
                 });
@@ -709,11 +726,12 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
             );
 
             expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(2);
-            const url: URLSearchParams = new URLSearchParams(
-                sendGetRequestAsyncSpy.mock.lastCall[0]
-            );
+            const secondNetworkRequestUrlParams: URLSearchParams =
+                new URLSearchParams(sendGetRequestAsyncSpy.mock.lastCall[0]);
             expect(
-                url.has(ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH)
+                secondNetworkRequestUrlParams.has(
+                    ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH
+                )
             ).toBe(false);
         });
 

diff --git a/package-lock.json b/package-lock.json