Implemented functionality to skip the cache for MI when claims are pr…

…ovided (#7207) Re-used functionality from ClientCredential flow. This PR originally contained code to deprecate client assertion strings. That will now be a separate PR.
AzureAD · Sep 30, 2024 · 68d29bb · 68d29bb
1 parent b29b5b1
commit 68d29bb
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 2 deletions.
diff --git a/change/@azure-msal-node-61f7f536-1cf8-4eef-ac92-89902d8e6963.json b/change/@azure-msal-node-61f7f536-1cf8-4eef-ac92-89902d8e6963.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Implemented functionality to skip the cache for MI when claims are provided #7207",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-node/apiReview/msal-node.api.md b/lib/msal-node/apiReview/msal-node.api.md
@@ -449,6 +449,7 @@ export type ManagedIdentityIdParams = {
 //
 // @public
 export type ManagedIdentityRequestParams = {
+    claims?: string;
     forceRefresh?: boolean;
     resource: string;
 };

diff --git a/lib/msal-node/src/client/ManagedIdentityApplication.ts b/lib/msal-node/src/client/ManagedIdentityApplication.ts
@@ -142,7 +142,10 @@ export class ManagedIdentityApplication {
             correlationId: this.cryptoProvider.createNewGuid(),
         };
 
-        if (managedIdentityRequest.forceRefresh) {
+        if (
+            managedIdentityRequestParams.claims ||
+            managedIdentityRequest.forceRefresh
+        ) {
             // make a network call to the managed identity source
             return this.managedIdentityClient.sendManagedIdentityTokenRequest(
                 managedIdentityRequest,

diff --git a/lib/msal-node/src/request/ManagedIdentityRequestParams.ts b/lib/msal-node/src/request/ManagedIdentityRequestParams.ts
@@ -5,10 +5,12 @@
 
 /**
  * ManagedIdentityRequest
+ * - claims       - a stringified claims request which will be used to determine whether or not the cache should be skipped
  * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
- * - resource  - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
+ * - resource     - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
  */
 export type ManagedIdentityRequestParams = {
+    claims?: string;
     forceRefresh?: boolean;
     resource: string;
 };
diff --git a/lib/msal-node/test/client/ManagedIdentitySources/Imds.spec.ts b/lib/msal-node/test/client/ManagedIdentitySources/Imds.spec.ts
@@ -14,6 +14,7 @@ import {
     MANAGED_IDENTITY_RESOURCE_ID,
     MANAGED_IDENTITY_RESOURCE_ID_2,
     MANAGED_IDENTITY_TOKEN_RETRIEVAL_ERROR_MESSAGE,
+    TEST_CONFIG,
     THREE_SECONDS_IN_MILLI,
     getCacheKey,
 } from "../../test_kit/StringConstants";
@@ -548,6 +549,37 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
             );
         });
 
+        test("ignores a cached token when claims are provided", async () => {
+            let networkManagedIdentityResult: AuthenticationResult =
+                await systemAssignedManagedIdentityApplication.acquireToken({
+                    resource: MANAGED_IDENTITY_RESOURCE,
+                });
+            expect(networkManagedIdentityResult.fromCache).toBe(false);
+
+            expect(networkManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            const cachedManagedIdentityResult: AuthenticationResult =
+                await systemAssignedManagedIdentityApplication.acquireToken({
+                    resource: MANAGED_IDENTITY_RESOURCE,
+                });
+            expect(cachedManagedIdentityResult.fromCache).toBe(true);
+            expect(cachedManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            networkManagedIdentityResult =
+                await systemAssignedManagedIdentityApplication.acquireToken({
+                    claims: TEST_CONFIG.CLAIMS,
+                    resource: MANAGED_IDENTITY_RESOURCE,
+                });
+            expect(networkManagedIdentityResult.fromCache).toBe(false);
+            expect(networkManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+        });
+
         test("ignores a cached token when forceRefresh is set to true", async () => {
             let networkManagedIdentityResult: AuthenticationResult =
                 await systemAssignedManagedIdentityApplication.acquireToken({