initial

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs

@@ -16,6 +16,8 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter
 
         public string Resource { get; set; }
 
+        public string Claims { get; set; }
+
         public void LogParameters(ILoggerAdapter logger)
         {
             if (logger.IsLoggingEnabled(LogLevel.Info))

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -36,6 +36,7 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
             // Skip checking cache when force refresh or claims is specified
             if (_managedIdentityParameters.ForceRefresh || !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
             {
+                _managedIdentityParameters.Claims = AuthenticationRequestParameters.Claims;
                 AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
 
                 logger.Info("[ManagedIdentityRequest] Skipped looking for a cached access token because ForceRefresh or Claims were set. " +

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -12,6 +12,8 @@
 using System.Net;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
 using System.Text;
+using System.Collections.Generic;
+using System.Linq;
 #if SUPPORTS_SYSTEM_TEXT_JSON
 using System.Text.Json;
 #else
@@ -48,7 +50,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
             // Convert the scopes to a resource string.
             string resource = parameters.Resource;
 
-            ManagedIdentityRequest request = CreateRequest(resource);
+            ManagedIdentityRequest request = CreateRequest(resource, parameters);
 
             _requestContext.Logger.Info("[Managed Identity] Sending request to managed identity endpoints.");
 
@@ -130,7 +132,7 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
             throw exception;
         }
 
-        protected abstract ManagedIdentityRequest CreateRequest(string resource);
+        protected abstract ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters);
 
         protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)
         {
@@ -298,5 +300,54 @@ private static void CreateAndThrowException(string errorCode,
 
             throw exception;
         }
+
+        /// <summary>
+        /// Sets the claims and capabilities in the request.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <param name="parameters"></param>
+        protected virtual void ApplyClaimsAndCapabilities(
+            ManagedIdentityRequest request,
+            AcquireTokenForManagedIdentityParameters parameters)
+        {
+            IEnumerable<string> clientCapabilities = _requestContext.ServiceBundle.Config.ClientCapabilities;
+
+            // If claims are present, set bypass_cache=true
+            if (!string.IsNullOrEmpty(parameters.Claims))
+            {
+                SetRequestParameter(request, "bypass_cache", "true");
+                _requestContext.Logger.Info("[Managed Identity] Setting bypass_cache=true in the Managed Identity request due to claims.");
+
+                // Set xms_cc only if clientCapabilities exist
+                if (clientCapabilities != null && clientCapabilities.Any())
+                {
+                    SetRequestParameter(request, "xms_cc", string.Join(",", clientCapabilities));
+                    _requestContext.Logger.Info("[Managed Identity] Adding client capabilities (xms_cc) to Managed Identity request.");
+                }
+            }
+            else
+            {
+                SetRequestParameter(request, "bypass_cache", "false");
+                _requestContext.Logger.Info("[Managed Identity] Setting bypass_cache=false (no claims provided).");
+            }
+        }
+
+        /// <summary>
+        /// Sets the request parameter in either the query or body based on the request method.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <param name="key"></param>
+        /// <param name="value"></param>
+        protected void SetRequestParameter(ManagedIdentityRequest request, string key, string value)
+        {
+            if (request.Method == HttpMethod.Post)
+            {
+                request.BodyParameters[key] = value;
+            }
+            else
+            {
+                request.QueryParameters[key] = value;
+            }
+        }
     }
 }

src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs

@@ -4,6 +4,8 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
+using System.Linq;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Utils;
@@ -13,7 +15,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity
     internal class AppServiceManagedIdentitySource : AbstractManagedIdentity
     {
         // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-        private const string AppServiceMsiApiVersion = "2019-08-01";
+        private const string AppServiceMsiApiVersion = "2025-03-30";
         private const string SecretHeaderName = "X-IDENTITY-HEADER";
 
         private readonly Uri _endpoint;
@@ -65,14 +67,16 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger
             return true;
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);
 
             request.Headers.Add(SecretHeaderName, _secret);
             request.QueryParameters["api-version"] = AppServiceMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/AzureArcManagedIdentitySource.cs

@@ -78,13 +78,16 @@ private AzureArcManagedIdentitySource(Uri endpoint, RequestContext requestContex
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(System.Net.Http.HttpMethod.Get, _endpoint);
 
             request.Headers.Add("Metadata", "true");
             request.QueryParameters["api-version"] = ArcApiVersion;
             request.QueryParameters["resource"] = resource;
+            request.QueryParameters["bypass_cache"] = "false";
+
+            ApplyClaimsAndCapabilities(request, parameters);
 
             return request;
         }
@@ -118,7 +121,7 @@ protected override async Task<ManagedIdentityResponse> HandleResponseAsync(
 
                 var authHeaderValue = "Basic " + File.ReadAllText(splitChallenge[1]);
 
-                ManagedIdentityRequest request = CreateRequest(parameters.Resource);
+                ManagedIdentityRequest request = CreateRequest(parameters.Resource, parameters);
 
                 _requestContext.Logger.Verbose(() => "[Managed Identity] Adding authorization header to the request.");
                 request.Headers.Add("Authorization", authHeaderValue);

src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -73,14 +74,16 @@ private CloudShellManagedIdentitySource(Uri endpoint, RequestContext requestCont
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Post, _endpoint);
 
             request.Headers.Add("ContentType", "application/x-www-form-urlencoded");
             request.Headers.Add("Metadata", "true");
 
             request.BodyParameters.Add("resource", resource);
+            
+            ApplyClaimsAndCapabilities(request, parameters);
 
             return request;
         }

src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsManagedIdentitySource.cs

@@ -56,14 +56,16 @@ internal ImdsManagedIdentitySource(RequestContext requestContext) :
             requestContext.Logger.Verbose(() => "[Managed Identity] Creating IMDS managed identity source. Endpoint URI: " + _imdsEndpoint);
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new(HttpMethod.Get, _imdsEndpoint);
 
             request.Headers.Add("Metadata", "true");
             request.QueryParameters["api-version"] = ImdsApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Globalization;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -62,7 +63,7 @@ private static bool TryValidateEnvVars(string msiEndpoint, ILoggerAdapter logger
             return true;
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new(System.Net.Http.HttpMethod.Get, _endpoint);
 
@@ -71,6 +72,8 @@ protected override ManagedIdentityRequest CreateRequest(string resource)
             request.QueryParameters["api-version"] = MachineLearningMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId:

src/client/Microsoft.Identity.Client/ManagedIdentity/ServiceFabricManagedIdentitySource.cs

@@ -5,6 +5,7 @@
 using System.Globalization;
 using System.Net.Http;
 using System.Net.Security;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -32,9 +33,9 @@ public static AbstractManagedIdentity Create(RequestContext requestContext)
                 var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
                     MsalError.InvalidManagedIdentityEndpoint,
                     errorMessage,
-                    null, 
+                    null,
                     ManagedIdentitySource.ServiceFabric,
-                    null); 
+                    null);
 
                 throw exception;
             }
@@ -54,7 +55,7 @@ internal override bool ValidateServerCertificate(HttpRequestMessage message, Sys
             return string.Equals(certificate.GetCertHashString(), EnvironmentVariables.IdentityServerThumbprint, StringComparison.OrdinalIgnoreCase);
         }
 
-        private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri endpoint, string identityHeaderValue) : 
+        private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri endpoint, string identityHeaderValue) :
         base(requestContext, ManagedIdentitySource.ServiceFabric)
         {
             _endpoint = endpoint;
@@ -66,7 +67,7 @@ private ServiceFabricManagedIdentitySource(RequestContext requestContext, Uri en
             }
         }
 
-        protected override ManagedIdentityRequest CreateRequest(string resource)
+        protected override ManagedIdentityRequest CreateRequest(string resource, AcquireTokenForManagedIdentityParameters parameters)
         {
             ManagedIdentityRequest request = new ManagedIdentityRequest(HttpMethod.Get, _endpoint);
 
@@ -75,6 +76,8 @@ protected override ManagedIdentityRequest CreateRequest(string resource)
             request.QueryParameters["api-version"] = ServiceFabricMsiApiVersion;
             request.QueryParameters["resource"] = resource;
 
+            ApplyClaimsAndCapabilities(request, parameters);
+
             switch (_requestContext.ServiceBundle.Config.ManagedIdentityId.IdType)
             {
                 case AppConfig.ManagedIdentityIdType.ClientId: