initial

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs

@@ -16,6 +16,8 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter
 
         public string Resource { get; set; }
 
+        public string Claims { get; set; }
+
         public void LogParameters(ILoggerAdapter logger)
         {
             if (logger.IsLoggingEnabled(LogLevel.Info))

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -36,6 +36,7 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
             // Skip checking cache when force refresh or claims is specified
             if (_managedIdentityParameters.ForceRefresh || !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
             {
+                _managedIdentityParameters.Claims = AuthenticationRequestParameters.Claims;
                 AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
 
                 logger.Info("[ManagedIdentityRequest] Skipped looking for a cached access token because ForceRefresh or Claims were set. " +

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -12,6 +12,8 @@
 using System.Net;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
 using System.Text;
+using System.Collections.Generic;
+using System.Linq;
 #if SUPPORTS_SYSTEM_TEXT_JSON
 using System.Text.Json;
 #else
@@ -48,7 +50,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
             // Convert the scopes to a resource string.
             string resource = parameters.Resource;
 
-            ManagedIdentityRequest request = CreateRequest(resource);
+            ManagedIdentityRequest request = CreateRequest(resource, parameters);
 
             _requestContext.Logger.Info("[Managed Identity] Sending request to managed identity endpoints.");
 
@@ -125,7 +127,7 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
             throw exception;
         }
 
-        protected abstract ManagedIdentityRequest CreateRequest(string resource);
+        protected abstract ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters);
 
         protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)
         {
@@ -293,5 +295,54 @@ private static void CreateAndThrowException(string errorCode,
 
             throw exception;
         }
+
+        /// <summary>
+        /// Sets the claims and capabilities in the request.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <param name="parameters"></param>
+        protected virtual void ApplyClaimsAndCapabilities(
+            ManagedIdentityRequest request,
+            AcquireTokenForManagedIdentityParameters parameters)
+        {
+            IEnumerable<string> clientCapabilities = _requestContext.ServiceBundle.Config.ClientCapabilities;
+
+            // If claims are present, set bypass_cache=true
+            if (!string.IsNullOrEmpty(parameters.Claims))
+            {
+                SetRequestParameter(request, "bypass_cache", "true");
+                _requestContext.Logger.Info("[Managed Identity] Setting bypass_cache=true in the Managed Identity request due to claims.");
+
+                // Set xms_cc only if clientCapabilities exist
+                if (clientCapabilities != null && clientCapabilities.Any())
+                {
+                    SetRequestParameter(request, "xms_cc", string.Join(",", clientCapabilities));
+                    _requestContext.Logger.Info("[Managed Identity] Adding client capabilities (xms_cc) to Managed Identity request.");
+                }
+            }
+            else
+            {
+                SetRequestParameter(request, "bypass_cache", "false");
+                _requestContext.Logger.Info("[Managed Identity] Setting bypass_cache=false (no claims provided).");
+            }
+        }
+
+        /// <summary>
+        /// Sets the request parameter in either the query or body based on the request method.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <param name="key"></param>
+        /// <param name="value"></param>
+        protected void SetRequestParameter(ManagedIdentityRequest request, string key, string value)
+        {
+            if (request.Method == HttpMethod.Post)
+            {
+                request.BodyParameters[key] = value;
+            }
+            else
+            {
+                request.QueryParameters[key] = value;
+            }
+        }
     }
 }

src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs

@@ -4,6 +4,8 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
+using System.Linq;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Utils;
@@ -65,14 +67,16 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger
             return true;
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);
 
             request.Headers.Add(SecretHeaderName, _secret);
             request.QueryParameters["api-version"] = AppServiceMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/AzureArcManagedIdentitySource.cs

@@ -81,13 +81,16 @@ private AzureArcManagedIdentitySource(Uri endpoint, RequestContext requestContex
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(System.Net.Http.HttpMethod.Get, _endpoint);
 
             request.Headers.Add("Metadata", "true");
             request.QueryParameters["api-version"] = ArcApiVersion;
             request.QueryParameters["resource"] = resource;
+            request.QueryParameters["bypass_cache"] = "false";
+
+            ApplyClaimsAndCapabilities(request, parameters);
 
             return request;
         }
@@ -121,7 +124,7 @@ protected override async Task<ManagedIdentityResponse> HandleResponseAsync(
 
                 var authHeaderValue = "Basic " + File.ReadAllText(splitChallenge[1]);
 
-                ManagedIdentityRequest request = CreateRequest(parameters.Resource);
+                ManagedIdentityRequest request = CreateRequest(parameters.Resource, parameters);
 
                 _requestContext.Logger.Verbose(() => "[Managed Identity] Adding authorization header to the request.");
                 request.Headers.Add("Authorization", authHeaderValue);

src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -73,14 +74,16 @@ private CloudShellManagedIdentitySource(Uri endpoint, RequestContext requestCont
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Post, _endpoint);
 
             request.Headers.Add("ContentType", "application/x-www-form-urlencoded");
             request.Headers.Add("Metadata", "true");
 
             request.BodyParameters.Add("resource", resource);
+            
+            ApplyClaimsAndCapabilities(request, parameters);
 
             return request;
         }

src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs

@@ -56,14 +56,16 @@ internal ImdsManagedIdentitySource(RequestContext requestContext) :
             requestContext.Logger.Verbose(() => "[Managed Identity] Creating IMDS managed identity source. Endpoint URI: " + _imdsEndpoint);
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new(HttpMethod.Get, _imdsEndpoint);
 
             request.Headers.Add("Metadata", "true");
             request.QueryParameters["api-version"] = ImdsApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Globalization;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -62,7 +63,7 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger
             return true;
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);
 
@@ -71,6 +72,8 @@ protected override ManagedIdentityRequest CreateRequest(string resource)
             request.QueryParameters["api-version"] = MachineLearningMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/ServiceFabricManagedIdentitySource.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -77,7 +78,6 @@ internal HttpClientHandler CreateHandlerWithSslValidation(ILoggerAdapter logger)
 #endif
         }
 
-
         private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri endpoint, string identityHeaderValue) : 
         base(requestContext, ManagedIdentitySource.ServiceFabric)
         {
@@ -90,7 +90,7 @@ private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri en
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Get, _endpoint);
 
@@ -99,6 +99,8 @@ protected override ManagedIdentityRequest CreateRequest(string resource)
             request.QueryParameters["api-version"] = ServiceFabricMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs

@@ -367,14 +367,21 @@ public static void AddManagedIdentityMockHandler(
             ManagedIdentitySource managedIdentitySourceType,
             string userAssignedId = null,
             UserAssignedIdentityId userAssignedIdentityId = UserAssignedIdentityId.None,
-            HttpStatusCode statusCode = HttpStatusCode.OK
+            HttpStatusCode statusCode = HttpStatusCode.OK,
+            bool capabilityEnabled = false, 
+            bool claimsEnabled = false
             )
         {
             HttpResponseMessage responseMessage = new HttpResponseMessage(statusCode);
             HttpContent content = new StringContent(response);
             responseMessage.Content = content;
 
-            MockHttpMessageHandler httpMessageHandler = BuildMockHandlerForManagedIdentitySource(managedIdentitySourceType, resource);
+            MockHttpMessageHandler httpMessageHandler = BuildMockHandlerForManagedIdentitySource(
+                managedIdentitySourceType, 
+                resource,
+                capabilityEnabled, 
+                claimsEnabled
+                );
 
             if (userAssignedIdentityId == UserAssignedIdentityId.ClientId)
             {
@@ -396,12 +403,19 @@ public static void AddManagedIdentityMockHandler(
 
             httpManager.AddMockHandler(httpMessageHandler);
         }
-            
-        private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(ManagedIdentitySource managedIdentitySourceType, string resource)
+
+        private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
+            ManagedIdentitySource managedIdentitySourceType,
+            string resource,
+            bool capabilityEnabled = false,
+            bool claimsEnabled = false)
         {
             MockHttpMessageHandler httpMessageHandler = new MockHttpMessageHandler();
             IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();
             IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();
+            IDictionary<string, string> expectedPostData = null; // Only used for Cloud Shell
+
+            string bypassCacheValue = claimsEnabled ? "true" : "false";  // Set based on claimsEnabled
 
             switch (managedIdentitySourceType)
             {
@@ -410,45 +424,73 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(M
                     expectedQueryParams.Add("api-version", "2019-08-01");
                     expectedQueryParams.Add("resource", resource);
                     expectedRequestHeaders.Add("X-IDENTITY-HEADER", "secret");
+                    expectedQueryParams.Add("bypass_cache", bypassCacheValue);
                     break;
                 case ManagedIdentitySource.AzureArc:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Get;
                     expectedQueryParams.Add("api-version", "2019-11-01");
                     expectedQueryParams.Add("resource", resource);
                     expectedRequestHeaders.Add("Metadata", "true");
+                    expectedQueryParams.Add("bypass_cache", bypassCacheValue);
                     break;
                 case ManagedIdentitySource.Imds:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Get;
                     expectedQueryParams.Add("api-version", "2018-02-01");
                     expectedQueryParams.Add("resource", resource);
                     expectedRequestHeaders.Add("Metadata", "true");
+                    expectedQueryParams.Add("bypass_cache", bypassCacheValue);
                     break;
                 case ManagedIdentitySource.CloudShell:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Post;
                     expectedRequestHeaders.Add("Metadata", "true");
                     expectedRequestHeaders.Add("ContentType", "application/x-www-form-urlencoded");
-                    httpMessageHandler.ExpectedPostData = new Dictionary<string, string> { { "resource", resource } };
+
+                    expectedPostData = new Dictionary<string, string>
+                    {
+                        { "resource", resource },
+                        { "bypass_cache", bypassCacheValue }
+                    };
                     break;
                 case ManagedIdentitySource.ServiceFabric:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Get;
                     expectedRequestHeaders.Add("secret", "secret");
                     expectedQueryParams.Add("api-version", "2019-07-01-preview");
                     expectedQueryParams.Add("resource", resource);
+                    expectedQueryParams.Add("bypass_cache", bypassCacheValue);
                     break;
                 case ManagedIdentitySource.MachineLearning:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Get;
                     expectedRequestHeaders.Add("secret", "secret");
                     expectedRequestHeaders.Add("Metadata", "true");
                     expectedQueryParams.Add("api-version", "2017-09-01");
                     expectedQueryParams.Add("resource", resource);
+                    expectedQueryParams.Add("bypass_cache", bypassCacheValue);
                     break;
             }
 
+            // If capabilityEnabled, add "xms_cc": "cp1"
+            if (capabilityEnabled)
+            {
+                if (managedIdentitySourceType == ManagedIdentitySource.CloudShell)
+                {
+                    expectedPostData ??= new Dictionary<string, string>();
+                    expectedPostData.Add("xms_cc", "cp1,cp2");
+                }
+                else
+                {
+                    expectedQueryParams.Add("xms_cc", "cp1,cp2");
+                }
+            }
+
             if (managedIdentitySourceType != ManagedIdentitySource.CloudShell)
             {
                 httpMessageHandler.ExpectedQueryParams = expectedQueryParams;
             }
-            
+            else
+            {
+                httpMessageHandler.ExpectedPostData = expectedPostData;
+            }
+
             httpMessageHandler.ExpectedRequestHeaders = expectedRequestHeaders;
 
             return httpMessageHandler;