search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.37k stars 338 forks source link

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #4845

Closed gladjohn closed 1 month ago

gladjohn commented 1 month ago

Task type

Development

Description

Currently, MSAL with Managed Identity does not expose any API claims API. With CAE (Continuous Access Evaluation) being enabled by default, we need to implement a mechanism to bypass the cache if claims are detected in the token request.

Steps to Reproduce: Enable CAE by default in MSAL with Managed Identity. Make a token request with claims present.

Observe that the cache is not bypassed, leading to potential stale token usage.

Expected Behavior: When claims are present in the token request, the cache should be bypassed to ensure that the latest token is used, in line with CAE requirements.

Solution

Proposed Solution:

  1. Expose the claims API in MSAL for MI
  2. Expose Claims to MI Assertion Provider for FIC
rayluo commented 1 month ago

Yes, bypassing cache shall be part of the CAE implementation.

Question. Do all the MI v1 endpoints support CAE now? If so, do they use a newer API version on the wire? And do all MSAL's MI v1 support CAE?

bgavrilMS commented 1 month ago

Just bypass the cache for msi v1. @gladjohn will confirm