msi v1 tr

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs

@@ -18,6 +18,8 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter
 
         public string Claims { get; set; }
 
+        public string BadTokenHash { get; set; }
+
         public void LogParameters(ILoggerAdapter logger)
         {
             if (logger.IsLoggingEnabled(LogLevel.Info))

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -10,6 +10,7 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.ManagedIdentity;
 using Microsoft.Identity.Client.OAuth2;
+using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.Requests
@@ -18,6 +19,7 @@ internal class ManagedIdentityAuthRequest : RequestBase
     {
         private readonly AcquireTokenForManagedIdentityParameters _managedIdentityParameters;
         private static readonly SemaphoreSlim s_semaphoreSlim = new SemaphoreSlim(1, 1);
+        private readonly ICryptographyManager _cryptoManager;
 
         public ManagedIdentityAuthRequest(
             IServiceBundle serviceBundle,
@@ -26,72 +28,105 @@ public ManagedIdentityAuthRequest(
             : base(serviceBundle, authenticationRequestParameters, managedIdentityParameters)
         {
             _managedIdentityParameters = managedIdentityParameters;
+            _cryptoManager = serviceBundle.PlatformProxy.CryptographyManager;
         }
 
         protected override async Task<AuthenticationResult> ExecuteAsync(CancellationToken cancellationToken)
         {
             AuthenticationResult authResult = null;
             ILoggerAdapter logger = AuthenticationRequestParameters.RequestContext.Logger;
 
-            // Skip checking cache when force refresh or claims is specified
-            if (_managedIdentityParameters.ForceRefresh || !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+            // 1. FIRST, handle ForceRefresh
+            if (_managedIdentityParameters.ForceRefresh)
             {
-                _managedIdentityParameters.Claims = AuthenticationRequestParameters.Claims;
                 AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
-                
-                logger.Info("[ManagedIdentityRequest] Skipped looking for a cached access token because ForceRefresh or Claims were set. " +
-                    "This means either a force refresh was requested or claims were present.");
+                logger.Info("[ManagedIdentityRequest] Skipped using the cache because ForceRefresh was set.");
+
+                // We still respect claims if present
+                _managedIdentityParameters.Claims = AuthenticationRequestParameters.Claims;
 
+                // Straight to the MI endpoint
                 authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
                 return authResult;
             }
 
+            // 2. Otherwise, look for a cached token
             MsalAccessTokenCacheItem cachedAccessTokenItem = await GetCachedAccessTokenAsync().ConfigureAwait(false);
 
-            // No access token or cached access token needs to be refreshed 
+            // If we have claims, we do NOT use the cached token (but we still need it to compute the hash).
+            if (!string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+            {
+                _managedIdentityParameters.Claims = AuthenticationRequestParameters.Claims;
+                AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
+
+                // If there is a cached token, compute its hash for the “bad token” scenario
+                if (cachedAccessTokenItem != null)
+                {
+                    string cachedTokenHash = _cryptoManager.CreateSha256Hash(cachedAccessTokenItem.Secret);
+                    _managedIdentityParameters.BadTokenHash = cachedTokenHash;
+
+                    logger.Info("[ManagedIdentityRequest] Claims are present. Computed hash of the cached (bad) token. " +
+                                "Will now request a fresh token from the MI endpoint.");
+                }
+                else
+                {
+                    logger.Info("[ManagedIdentityRequest] Claims are present, but no cached token was found. " +
+                                "Requesting a fresh token from the MI endpoint without a bad-token hash.");
+                }
+
+                // In both cases, we skip using the cached token and get a new one
+                authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
+                return authResult;
+            }
+
+            // 3. If we have no ForceRefresh and no claims, we can use the cache
             if (cachedAccessTokenItem != null)
             {
+                // Found a valid token in cache
                 authResult = CreateAuthenticationResultFromCache(cachedAccessTokenItem);
-
                 logger.Info("[ManagedIdentityRequest] Access token retrieved from cache.");
 
                 try
-                {  
-                    var proactivelyRefresh = SilentRequestHelper.NeedsRefresh(cachedAccessTokenItem);
-
-                    // If needed, refreshes token in the background
+                {
+                    // If token is close to expiry, proactively refresh it in the background
+                    bool proactivelyRefresh = SilentRequestHelper.NeedsRefresh(cachedAccessTokenItem);
                     if (proactivelyRefresh)
                     {
                         logger.Info("[ManagedIdentityRequest] Initiating a proactive refresh.");
 
                         AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ProactivelyRefreshed;
 
                         SilentRequestHelper.ProcessFetchInBackground(
-                        cachedAccessTokenItem,
-                        () =>
-                        {
-                            // Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
-                            using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
-                            return GetAccessTokenAsync(tokenSource.Token, logger);
-                        }, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
-                        AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
-                        AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
+                            cachedAccessTokenItem,
+                            () =>
+                            {
+                                // Use a linked token source, in case the original cts is disposed
+                                using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
+                                return GetAccessTokenAsync(tokenSource.Token, logger);
+                            },
+                            logger,
+                            ServiceBundle,
+                            AuthenticationRequestParameters.RequestContext.ApiEvent,
+                            AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
+                            AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
                     }
                 }
                 catch (MsalServiceException e)
                 {
+                    // If background refresh fails, we handle the exception
                     return await HandleTokenRefreshErrorAsync(e, cachedAccessTokenItem).ConfigureAwait(false);
                 }
             }
             else
             {
-                //  No AT in the cache 
+                // No cached token
                 if (AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo != CacheRefreshReason.Expired)
                 {
                     AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.NoCachedAccessToken;
                 }
 
-                logger.Info("[ManagedIdentityRequest] No cached access token. Getting a token from the managed identity endpoint.");
+                logger.Info("[ManagedIdentityRequest] No cached access token found. " +
+                            "Getting a token from the managed identity endpoint.");
                 authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
             }
 

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -307,24 +307,24 @@ protected virtual void ApplyClaimsAndCapabilities(
         {
             IEnumerable<string> clientCapabilities = _requestContext.ServiceBundle.Config.ClientCapabilities;
 
-            // If claims are present, set bypass_cache=true
-            if (!string.IsNullOrEmpty(parameters.Claims))
+            // Set xms_cc only if clientCapabilities exist
+            if (clientCapabilities != null && clientCapabilities.Any())
             {
-                SetRequestParameter(request, "bypass_cache", "true");
-                _requestContext.Logger.Info("[Managed Identity] Setting bypass_cache=true in the Managed Identity request due to claims.");
+                SetRequestParameter(request, "xms_cc", string.Join(",", clientCapabilities));
+                _requestContext.Logger.Info("[Managed Identity] Adding client capabilities (xms_cc) to Managed Identity request.");
+            }
 
-                // Set xms_cc only if clientCapabilities exist
-                if (clientCapabilities != null && clientCapabilities.Any())
+            // If claims are present, send the bad token hash to the Managed Identity endpoint.
+            if (!string.IsNullOrEmpty(parameters.Claims))
+            {
+                if (!string.IsNullOrEmpty(parameters.BadTokenHash))
                 {
-                    SetRequestParameter(request, "xms_cc", string.Join(",", clientCapabilities));
-                    _requestContext.Logger.Info("[Managed Identity] Adding client capabilities (xms_cc) to Managed Identity request.");
+                    SetRequestParameter(request, "token_sha256_to_refresh", parameters.BadTokenHash);
+                    _requestContext.Logger.Info(
+                        "[Managed Identity] Passing SHA-256 of the 'bad' token to Managed Identity endpoint."
+                    );
                 }
             }
-            else
-            {
-                SetRequestParameter(request, "bypass_cache", "false");
-                _requestContext.Logger.Info("[Managed Identity] Setting bypass_cache=false (no claims provided).");
-            }
         }
 
         /// <summary>

src/client/Microsoft.Identity.Client/ManagedIdentity/AzureArcManagedIdentitySource.cs

@@ -88,9 +88,6 @@ protected override ManagedIdentityRequest CreateRequest(string resource, Acquire
             request.Headers.Add("Metadata", "true");
             request.QueryParameters["api-version"] = ArcApiVersion;
             request.QueryParameters["resource"] = resource;
-            request.QueryParameters["bypass_cache"] = "false";
-
-            ApplyClaimsAndCapabilities(request, parameters);
 
             return request;
         }

src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs

@@ -83,8 +83,6 @@ protected override ManagedIdentityRequest CreateRequest(string resource, Acquire
 
             request.BodyParameters.Add("resource", resource);
 
-            ApplyClaimsAndCapabilities(request, parameters);
-
             return request;
         }
     }

src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs

@@ -64,8 +64,6 @@ protected override ManagedIdentityRequest CreateRequest(string resource, Acquire
             request.QueryParameters["api-version"] = ImdsApiVersion;
             request.QueryParameters["resource"] = resource;
 
-            ApplyClaimsAndCapabilities(request, parameters);
-
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs

@@ -72,8 +72,6 @@ protected override ManagedIdentityRequest CreateRequest(string resource, Acquire
             request.QueryParameters["api-version"] = MachineLearningMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
-            ApplyClaimsAndCapabilities(request, parameters);
-
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/Utils/CoreHelpers.cs

@@ -75,40 +75,54 @@ public static string ToQueryParameter(this IDictionary<string, string> input)
             return builder.ToString();
         }
 
-        public static Dictionary<string, string> ParseKeyValueList(string input, char delimiter, bool urlDecode,
-            bool lowercaseKeys,
+        public static Dictionary<string, string> ParseKeyValueList(
+            string input, 
+            char delimiter, 
+            bool urlDecode,    
+            bool lowercaseKeys, 
             RequestContext requestContext)
         {
             var response = new Dictionary<string, string>();
 
+            // Split the full query string on & (or any provided delimiter) to get individual k=v pairs.
             var queryPairs = SplitWithQuotes(input, delimiter);
 
             foreach (string queryPair in queryPairs)
             {
-                var pair = SplitWithQuotes(queryPair, '=');
+                // Instead of splitting on *all* '=' characters, find only the first one.
+                // This ensures that if the value itself contains '=', such as a trailing '=' in Base64,
+                // we do not accidentally split the base64 value into extra parts and lose the padding.
+                int idx = queryPair.IndexOf('=');
 
-                if (pair.Count == 2 && !string.IsNullOrWhiteSpace(pair[0]) && !string.IsNullOrWhiteSpace(pair[1]))
+                // idx > 0 means we found an '=' and have a valid key substring before it
+                if (idx > 0)
                 {
-                    string key = pair[0];
-                    string value = pair[1];
+                    // The key is everything before the first '='
+                    string key = queryPair.Substring(0, idx);
+
+                    // The value is everything after the first '=' (including any trailing '=')
+                    string value = queryPair.Substring(idx + 1);
 
-                    // Url decoding is needed for parsing OAuth response, but not for parsing WWW-Authenticate header in 401 challenge
+                    // If urlDecode == true, decode both key and value
                     if (urlDecode)
                     {
                         key = UrlDecode(key);
                         value = UrlDecode(value);
                     }
 
+                    // Optionally convert key to lowercase
                     if (lowercaseKeys)
                     {
                         key = key.Trim().ToLowerInvariant();
                     }
 
+                    // Trim quotes and whitespace around the value
                     value = value.Trim().Trim('\"').Trim();
 
                     if (response.ContainsKey(key))
                     {
-                        requestContext?.Logger.Warning(string.Format(CultureInfo.InvariantCulture,
+                        requestContext?.Logger.Warning(
+                            string.Format(CultureInfo.InvariantCulture,
                             "Key/value pair list contains redundant key '{0}'.", key));
                     }
 

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs

@@ -370,7 +370,7 @@ public static HttpResponseMessage CreateSuccessTokenResponseMessage(
             string[] scope,
             bool foci = false,
             string utid = TestConstants.Utid,
-            string accessToken = "some-access-token",
+            string accessToken = TestConstants.ATSecret,
             string refreshToken = "OAAsomethingencrypedQwgAA")
         {
             HttpResponseMessage responseMessage = new HttpResponseMessage(HttpStatusCode.OK);
@@ -385,7 +385,7 @@ public static string CreateSuccessTokenResponseString(string uniqueId,
             string[] scope,
             bool foci = false,
             string utid = TestConstants.Utid,
-            string accessToken = "some-access-token",
+            string accessToken = TestConstants.ATSecret,
             string refreshToken = "OAAsomethingencrypedQwgAA")
         {
             string idToken = CreateIdToken(uniqueId, displayableId, TestConstants.Utid);