Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #842

Open
gladjohn opened this issue Jul 17, 2024 · 1 comment
Open

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #842

gladjohn opened this issue Jul 17, 2024 · 1 comment
Assignees
@Avery-Dunn
Labels
AzureSDK Issues and requests affecting the Azure SDK confidential-client For issues related to confidential client apps Feature Request Request for new functionality P1 High priority items, should be done before any other work scenario:ManagedIdentity

Comments

@gladjohn
Copy link

gladjohn commented Jul 17, 2024
edited
Loading

MSAL client type

Managed identity

Problem Statement

MSAL client type

Confidential

Problem Statement

Task type
Development

Description
Currently, MSAL with Managed Identity does not expose any API claims API. With CAE (Continuous Access Evaluation) being enabled by default, we need to implement a mechanism to bypass the cache if claims are detected in the token request.

Steps to Reproduce:

  • Enable CAE by default in MSAL with Managed Identity.
  • Make a token request with claims present.

Observe that the cache is not bypassed, leading to potential stale token usage.

Expected Behavior:
When claims are present in the token request, the cache should be bypassed to ensure that the latest token is used, in line with CAE requirements.

Proposed solution

  • Expose the claims API in MSAL for MI
  • Expose Claims to MI Assertion Provider for FIC
  • By-pass cache when claims are present

note : msi v1 endpoint is unchanged so there is no need to pass any claims to the endpoint itself, this feature is done so MSAL will bypass the cache.

Alternatives

No response
@gladjohn gladjohn added needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template scenario:ManagedIdentity Internal Internal enhancements to the development process, CI/CD pipelines, etc. and removed needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels Jul 17, 2024
@gladjohn gladjohn moved this from Committed to Blocked/Waiting for reply in MSAL Customer Trust / QM Jul 23, 2024
@gladjohn gladjohn moved this from Blocked/Waiting for reply to Committed in MSAL Customer Trust / QM Aug 6, 2024
@bgavrilMS bgavrilMS added the AzureSDK Issues and requests affecting the Azure SDK label Aug 16, 2024
@bgavrilMS
Copy link
Member

Let's take this one as well please.

@bgavrilMS bgavrilMS added P1 High priority items, should be done before any other work Feature Request Request for new functionality confidential-client For issues related to confidential client apps and removed Internal Internal enhancements to the development process, CI/CD pipelines, etc. labels Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Avery-Dunn Avery-Dunn

Labels
AzureSDK Issues and requests affecting the Azure SDK confidential-client For issues related to confidential client apps Feature Request Request for new functionality P1 High priority items, should be done before any other work scenario:ManagedIdentity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bgavrilMS @Avery-Dunn @gladjohn