Added token revocation functionality to Managed Identity

change/@azure-msal-node-20888f8d-8ed5-4418-80dd-03944efa17c7.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Added token revocation functionality to managed identity (#7422)",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-node/apiReview/msal-node.api.md

@@ -389,6 +389,7 @@ export class ManagedIdentityApplication {
 
 // @public (undocumented)
 export type ManagedIdentityConfiguration = {
+    clientCapabilities?: Array<string>;
     managedIdentityIdParams?: ManagedIdentityIdParams;
     system?: NodeSystemOptions;
 };

lib/msal-node/src/client/ManagedIdentityApplication.ts

@@ -140,6 +140,8 @@ export class ManagedIdentityApplication {
             ],
             authority: this.fakeAuthority.canonicalAuthority,
             correlationId: this.cryptoProvider.createNewGuid(),
+            claims: managedIdentityRequestParams.claims,
+            clientCapabilities: this.config.clientCapabilities,
         };
 
         if (

lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts

@@ -133,6 +133,17 @@ export abstract class BaseManagedIdentitySource {
                 managedIdentityId
             );
 
+        // if claims are present, the MSI will get a new token
+        if (managedIdentityRequest.claims) {
+            networkRequest.queryParameters.bypass_cache = "true";
+        }
+
+        // if client capabilities are present, send them to the MSI
+        if (managedIdentityRequest.clientCapabilities?.length) {
+            networkRequest.queryParameters.xms_cc =
+                managedIdentityRequest.clientCapabilities.toString();
+        }
+
         const headers: Record<string, string> = networkRequest.headers;
         headers[HeaderNames.CONTENT_TYPE] = Constants.URL_FORM_CONTENT_TYPE;
 

lib/msal-node/src/config/Configuration.ts

@@ -136,6 +136,7 @@ export type ManagedIdentityIdParams = {
 
 /** @public */
 export type ManagedIdentityConfiguration = {
+    clientCapabilities?: Array<string>;
     managedIdentityIdParams?: ManagedIdentityIdParams;
     system?: NodeSystemOptions;
 };
@@ -247,13 +248,15 @@ export function buildAppConfiguration({
 
 /** @internal */
 export type ManagedIdentityNodeConfiguration = {
+    clientCapabilities: Array<string>;
     managedIdentityId: ManagedIdentityId;
     system: Required<
         Pick<NodeSystemOptions, "loggerOptions" | "networkClient">
     >;
 };
 
 export function buildManagedIdentityConfiguration({
+    clientCapabilities,
     managedIdentityIdParams,
     system,
 }: ManagedIdentityConfiguration): ManagedIdentityNodeConfiguration {
@@ -290,6 +293,7 @@ export function buildManagedIdentityConfiguration({
     }
 
     return {
+        clientCapabilities: clientCapabilities || [],
         managedIdentityId: managedIdentityId,
         system: {
             loggerOptions,

lib/msal-node/src/request/ManagedIdentityRequest.ts

@@ -8,8 +8,9 @@ import { ManagedIdentityRequestParams } from "./ManagedIdentityRequestParams.js"
 
 /**
  * ManagedIdentityRequest
- * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
- * - resource  - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
+ * - clientCapabilities - an array of client capabilities to be sent to ESTS
  */
 export type ManagedIdentityRequest = ManagedIdentityRequestParams &
-    CommonClientCredentialRequest;
+    CommonClientCredentialRequest & {
+        clientCapabilities?: Array<string>;
+    };

lib/msal-node/test/client/ManagedIdentitySources/Imds.spec.ts

@@ -55,6 +55,7 @@ import {
 } from "../../../src";
 // NodeJS 16+ provides a built-in version of setTimeout that is promise-based
 import { setTimeout } from "timers/promises";
+import { CAE_CONSTANTS } from "../../test_kit/StringConstants.js";
 
 describe("Acquires a token successfully via an IMDS Managed Identity", () => {
     // IMDS doesn't need environment variables because there is a default IMDS endpoint
@@ -549,13 +550,82 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
             );
         });
 
-        test("ignores a cached token when claims are provided", async () => {
+        test('checks if a token was cached or not and if was "bypass_cache=true" was sent to the MSI depending on whether or not claims are provided, and ensures "xms=client-capabilites-string" was sent to ESTS when client capabilities are provided via the Managed Identity configuration object', async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
+            const systemAssignedManagedIdentityApplicationWithClientCapabilities: ManagedIdentityApplication =
+                new ManagedIdentityApplication({
+                    ...systemAssignedConfig,
+                    clientCapabilities: CAE_CONSTANTS.CLIENT_CAPABILITIES,
+                });
+
+            let networkManagedIdentityResult: AuthenticationResult =
+                await systemAssignedManagedIdentityApplicationWithClientCapabilities.acquireToken(
+                    {
+                        resource: MANAGED_IDENTITY_RESOURCE,
+                    }
+                );
+            expect(networkManagedIdentityResult.fromCache).toBe(false);
+            expect(networkManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            let tokenRequest = sendGetRequestAsyncSpy.mock.lastCall;
+            let url = tokenRequest[0];
+            expect(url.includes("bypass_cache=true")).toBe(false);
+            expect(
+                url.includes(
+                    `xms_cc=${CAE_CONSTANTS.CLIENT_CAPABILITIES.toString()}`
+                )
+            ).toBe(true);
+
+            const cachedManagedIdentityResult: AuthenticationResult =
+                await systemAssignedManagedIdentityApplicationWithClientCapabilities.acquireToken(
+                    {
+                        resource: MANAGED_IDENTITY_RESOURCE,
+                    }
+                );
+            expect(cachedManagedIdentityResult.fromCache).toBe(true);
+            expect(cachedManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            networkManagedIdentityResult =
+                await systemAssignedManagedIdentityApplicationWithClientCapabilities.acquireToken(
+                    {
+                        claims: TEST_CONFIG.CLAIMS,
+                        resource: MANAGED_IDENTITY_RESOURCE,
+                    }
+                );
+            expect(networkManagedIdentityResult.fromCache).toBe(false);
+            expect(networkManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            tokenRequest = sendGetRequestAsyncSpy.mock.lastCall;
+            url = tokenRequest[0];
+            expect(url.includes("bypass_cache=true")).toBe(true);
+            expect(
+                url.includes(
+                    `xms_cc=${CAE_CONSTANTS.CLIENT_CAPABILITIES.toString()}`
+                )
+            ).toBe(true);
+        });
+
+        test('ignores a cached token when claims are provided, and ensures "bypass_cache=true" was sent to the MSI', async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
             let networkManagedIdentityResult: AuthenticationResult =
                 await systemAssignedManagedIdentityApplication.acquireToken({
                     resource: MANAGED_IDENTITY_RESOURCE,
                 });
             expect(networkManagedIdentityResult.fromCache).toBe(false);
-
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
@@ -578,6 +648,10 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
             expect(networkManagedIdentityResult.accessToken).toEqual(
                 DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
             );
+
+            const tokenRequest = sendGetRequestAsyncSpy.mock.lastCall;
+            const url = tokenRequest[0];
+            expect(url.includes("bypass_cache=true")).toBe(true);
         });
 
         test("ignores a cached token when forceRefresh is set to true", async () => {