enhancements

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -319,16 +319,14 @@ protected virtual void ApplyClaimsAndCapabilities(
                 _requestContext.Logger.Info("[Managed Identity] Adding client capabilities (xms_cc) to Managed Identity request.");
             }
 
-            // If claims are present, send the bad token hash to the Managed Identity endpoint.
-            if (!string.IsNullOrEmpty(parameters.Claims))
+            // Only include 'token_sha256_to_refresh' if we have both Claims and the old token's hash
+            if (!string.IsNullOrEmpty(parameters.Claims) &&
+                !string.IsNullOrEmpty(parameters.BadTokenHash))
             {
-                if (!string.IsNullOrEmpty(parameters.BadTokenHash))
-                {
-                    SetRequestParameter(request, "token_sha256_to_refresh", parameters.BadTokenHash);
-                    _requestContext.Logger.Info(
-                        "[Managed Identity] Passing SHA-256 of the 'bad' token to Managed Identity endpoint."
-                    );
-                }
+                SetRequestParameter(request, "token_sha256_to_refresh", parameters.BadTokenHash);
+                _requestContext.Logger.Info(
+                    "[Managed Identity] Passing SHA-256 of the 'bad' token to Managed Identity endpoint."
+                );
             }
         }
 

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs

@@ -427,6 +427,7 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
         {
             MockHttpMessageHandler httpMessageHandler = new MockHttpMessageHandler();
             IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();
+            IDictionary<string, string> notExpectedQueryParams = new Dictionary<string, string>();
             IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();
             IDictionary<string, string> expectedPostData = null; // Only used for Cloud Shell
 
@@ -474,26 +475,35 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
                     break;
             }
 
+            var manager = new CommonCryptographyManager();
+            var value = manager.CreateSha256Hash(TestConstants.ATSecret);
+
             // If capabilityEnabled, add "xms_cc": "cp1"
             if (capabilityEnabled)
             {
-                if (managedIdentitySourceType == ManagedIdentitySource.AppService 
+                if (managedIdentitySourceType == ManagedIdentitySource.AppService
                     || managedIdentitySourceType == ManagedIdentitySource.ServiceFabric)
                 {
                     expectedQueryParams.Add("xms_cc", "cp1,cp2");
                 }
             }
+            else
+            {
+                notExpectedQueryParams.Add("xms_cc", "cp1,cp2");
+            }
 
             if (claimsEnabled)
             {
-                var manager = new CommonCryptographyManager();
-                var value = manager.CreateSha256Hash(TestConstants.ATSecret);
                 if (managedIdentitySourceType == ManagedIdentitySource.AppService
                     || managedIdentitySourceType == ManagedIdentitySource.ServiceFabric)
                 {
                     expectedQueryParams.Add("token_sha256_to_refresh", manager.CreateSha256Hash(TestConstants.ATSecret));
                 }
             }
+            else
+            {
+                notExpectedQueryParams.Add("token_sha256_to_refresh", manager.CreateSha256Hash(TestConstants.ATSecret));
+            }
 
             if (managedIdentitySourceType != ManagedIdentitySource.CloudShell)
             {

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpMessageHandler.cs

@@ -25,6 +25,7 @@ internal class MockHttpMessageHandler : HttpClientHandler
         public IDictionary<string, string> ExpectedRequestHeaders { get; set; }
         public IList<string> UnexpectedRequestHeaders { get; set; }
         public IDictionary<string, string> UnExpectedPostData { get; set; }
+        public IDictionary<string, string> NotExpectedQueryParams { get; set; }
         public HttpMethod ExpectedMethod { get; set; }
 
         public Exception ExceptionToThrow { get; set; }
@@ -65,7 +66,9 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
             Assert.AreEqual(ExpectedMethod, request.Method);
 
-            ValidateQueryParams(uri);
+            ValidateExpectedQueryParams(uri);
+
+            ValidateNotExpectedQueryParams(uri);
 
             await ValidatePostDataAsync(request).ConfigureAwait(false);
 
@@ -80,12 +83,12 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             return ResponseMessage;
         }
 
-        private void ValidateQueryParams(Uri uri)
+        private void ValidateExpectedQueryParams(Uri uri)
         {
             if (ExpectedQueryParams != null && ExpectedQueryParams.Any())
             {
                 Assert.IsFalse(string.IsNullOrEmpty(uri.Query), $"Provided url ({uri.AbsoluteUri}) does not contain query parameters as expected.");
-                var inputQp = CoreHelpers.ParseKeyValueList(uri.Query.Substring(1), '&', false, null);
+                Dictionary<string, string> inputQp = CoreHelpers.ParseKeyValueList(uri.Query.Substring(1), '&', false, null);
                 Assert.AreEqual(ExpectedQueryParams.Count, inputQp.Count, "Different number of query params.");
                 foreach (var key in ExpectedQueryParams.Keys)
                 {
@@ -95,6 +98,35 @@ private void ValidateQueryParams(Uri uri)
             }
         }
 
+        private void ValidateNotExpectedQueryParams(Uri uri)
+        {
+            if (NotExpectedQueryParams != null && NotExpectedQueryParams.Any())
+            {
+                // Parse actual query params again (or reuse inputQp if you like)
+                Dictionary<string, string> actualQueryParams = CoreHelpers.ParseKeyValueList(uri.Query.Substring(1), '&', false, null);
+                List<string> unexpectedKeysFound = new List<string>();
+
+                foreach (KeyValuePair<string, string> kvp in NotExpectedQueryParams)
+                {
+                    // Check if the request's query has this key
+                    if (actualQueryParams.TryGetValue(kvp.Key, out string value))
+                    {
+                        // Optionally, also check if we care about matching the *value*:
+                        if (string.Equals(value, kvp.Value, StringComparison.OrdinalIgnoreCase))
+                        {
+                            unexpectedKeysFound.Add(kvp.Key);
+                        }
+                    }
+                }
+
+                // Fail if any "not expected" key/value pairs were found
+                Assert.IsTrue(
+                    unexpectedKeysFound.Count == 0,
+                    $"Did not expect to find these query parameter keys/values: {string.Join(", ", unexpectedKeysFound)}"
+                );
+            }
+        }
+
         private async Task ValidatePostDataAsync(HttpRequestMessage request)
         {
             if (request.Method != HttpMethod.Get && request.Content != null)