AzureAD · Robbie-Microsoft · Sep 30, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
diff --git a/change/@azure-msal-common-e4f59bc0-0846-4b3a-a6bd-b8a4829c5bff.json b/change/@azure-msal-common-e4f59bc0-0846-4b3a-a6bd-b8a4829c5bff.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Implemented functionality to skip the cache for MI when claims are provided #7207",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-61f7f536-1cf8-4eef-ac92-89902d8e6963.json b/change/@azure-msal-node-61f7f536-1cf8-4eef-ac92-89902d8e6963.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Implemented functionality to skip the cache for MI when claims are provided #7207",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-common/apiReview/msal-common.api.md b/lib/msal-common/apiReview/msal-common.api.md
@@ -3461,6 +3461,23 @@ export type RequestThumbprint = {
     shrOptions?: ShrOptions;
 };
 
+// Warning: (ae-missing-release-tag) "RequestValidator" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
+//
+// @public
+export class RequestValidator {
+    // (undocumented)
+    static validateClaims(claims: string): void;
+    // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+    static validateCodeChallengeMethod(codeChallengeMethod: string): void;
+    // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+    // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+    static validateCodeChallengeParams(codeChallenge: string, codeChallengeMethod: string): void;
+    // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+    static validatePrompt(prompt: string): void;
+    // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+    static validateRedirectUri(redirectUri: string): void;
+}
+
 // Warning: (ae-missing-release-tag) "RESPONSE_MODE" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public (undocumented)

diff --git a/lib/msal-common/src/index.ts b/lib/msal-common/src/index.ts
@@ -140,6 +140,7 @@ export { NativeRequest } from "./request/NativeRequest";
 export { NativeSignOutRequest } from "./request/NativeSignOutRequest";
 export { RequestParameterBuilder } from "./request/RequestParameterBuilder";
 export { StoreInCache } from "./request/StoreInCache";
+export { RequestValidator } from "./request/RequestValidator";
 export {
     ClientAssertion,
     ClientAssertionConfig,

@@ -449,6 +449,7 @@ export type ManagedIdentityIdParams = {
 //
 // @public
 export type ManagedIdentityRequestParams = {
+    claims?: string;
     forceRefresh?: boolean;
     resource: string;
 };

@@ -130,6 +130,7 @@ export class ManagedIdentityApplication {
         }
 
         const managedIdentityRequest: ManagedIdentityRequest = {
+            claims: managedIdentityRequestParams.claims,
             forceRefresh: managedIdentityRequestParams.forceRefresh,
             resource: managedIdentityRequestParams.resource.replace(
                 "/.default",
@@ -142,7 +143,10 @@ export class ManagedIdentityApplication {
             correlationId: this.cryptoProvider.createNewGuid(),
         };
 
-        if (managedIdentityRequest.forceRefresh) {
+        if (
+            managedIdentityRequest.claims ||
+            managedIdentityRequest.forceRefresh
+        ) {
             // make a network call to the managed identity source
             return this.managedIdentityClient.sendManagedIdentityTokenRequest(
                 managedIdentityRequest,

diff --git a/lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts b/lib/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts
@@ -19,6 +19,8 @@ import {
     createClientAuthError,
     AuthenticationResult,
     UrlString,
+    RequestValidator,
+    AADServerParamKeys,
 } from "@azure/msal-common";
 import { ManagedIdentityId } from "../../config/ManagedIdentityId";
 import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters";
@@ -138,6 +140,12 @@ export abstract class BaseManagedIdentitySource {
 
         const networkRequestOptions: NetworkRequestOptions = { headers };
 
+        if (managedIdentityRequest.claims) {
+            RequestValidator.validateClaims(managedIdentityRequest.claims);
+            networkRequest.bodyParameters[AADServerParamKeys.CLAIMS] =
+                encodeURIComponent(managedIdentityRequest.claims);
+        }
+
         if (Object.keys(networkRequest.bodyParameters).length) {
             networkRequestOptions.body =
                 networkRequest.computeParametersBodyString();

@@ -5,10 +5,12 @@
 
 /**
  * ManagedIdentityRequest
+ * - claims       - a stringified claims request which will be added to all /authorize and /token calls
  * - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
- * - resource  - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
+ * - resource     - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
  */
 export type ManagedIdentityRequestParams = {
+    claims?: string;
     forceRefresh?: boolean;
     resource: string;
 };
@@ -14,6 +14,7 @@ import {
     MANAGED_IDENTITY_RESOURCE_ID,
     MANAGED_IDENTITY_RESOURCE_ID_2,
     MANAGED_IDENTITY_TOKEN_RETRIEVAL_ERROR_MESSAGE,
+    TEST_CONFIG,
     THREE_SECONDS_IN_MILLI,
     getCacheKey,
 } from "../../test_kit/StringConstants";
@@ -31,6 +32,7 @@ import {
     ManagedIdentitySourceNames,
 } from "../../../src/utils/Constants";
 import {
+    AADServerParamKeys,
     AccessTokenEntity,
     AuthenticationResult,
     CacheHelpers,
@@ -548,6 +550,51 @@ describe("Acquires a token successfully via an IMDS Managed Identity", () => {
             );
         });
 
+        test("ignores a cached token when claims are provided", async () => {
+            const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                networkClient,
+                <any>"sendGetRequestAsync"
+            );
+
+            let networkManagedIdentityResult: AuthenticationResult =
+                await systemAssignedManagedIdentityApplication.acquireToken({
+                    resource: MANAGED_IDENTITY_RESOURCE,
+                });
+            expect(networkManagedIdentityResult.fromCache).toBe(false);
+
+            expect(networkManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            const cachedManagedIdentityResult: AuthenticationResult =
+                await systemAssignedManagedIdentityApplication.acquireToken({
+                    resource: MANAGED_IDENTITY_RESOURCE,
+                });
+            expect(cachedManagedIdentityResult.fromCache).toBe(true);
+            expect(cachedManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+
+            networkManagedIdentityResult =
+                await systemAssignedManagedIdentityApplication.acquireToken({
+                    claims: TEST_CONFIG.CLAIMS,
+                    resource: MANAGED_IDENTITY_RESOURCE,
+                });
+            expect(networkManagedIdentityResult.fromCache).toBe(false);
+
+            expect(
+                sendGetRequestAsyncSpy.mock.lastCall[1].body.includes(
+                    `${AADServerParamKeys.CLAIMS}=${encodeURIComponent(
+                        TEST_CONFIG.CLAIMS
+                    )}`
+                )
+            ).toBe(true);
+
+            expect(networkManagedIdentityResult.accessToken).toEqual(
+                DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+            );
+        });
+
         test("ignores a cached token when forceRefresh is set to true", async () => {
             let networkManagedIdentityResult: AuthenticationResult =
                 await systemAssignedManagedIdentityApplication.acquireToken({