Add Service Fabric token revocation support (#5421)

* main

* pr comments

* address pr comments

* pr comments

---------

Co-authored-by: Gladwin Johnson <[email protected]>

Author: gladjohn

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs

@@ -16,6 +16,10 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter
 
         public string Resource { get; set; }
 
+        public string Claims { get; set; }
+
+        public string RevokedTokenHash { get; set; }
+
         public void LogParameters(ILoggerAdapter logger)
         {
             if (logger.IsLoggingEnabled(LogLevel.Info))
@@ -25,6 +29,8 @@ public void LogParameters(ILoggerAdapter logger)
                      === AcquireTokenForManagedIdentityParameters ===
                      ForceRefresh: {ForceRefresh}
                      Resource: {Resource}
+                     Claims: {!string.IsNullOrEmpty(Claims)}
+                     RevokedTokenHash: {!string.IsNullOrEmpty(RevokedTokenHash)}
                      """);
             }
         }

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -10,6 +10,7 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.ManagedIdentity;
 using Microsoft.Identity.Client.OAuth2;
+using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.Requests
@@ -18,6 +19,7 @@ internal class ManagedIdentityAuthRequest : RequestBase
     {
         private readonly AcquireTokenForManagedIdentityParameters _managedIdentityParameters;
         private static readonly SemaphoreSlim s_semaphoreSlim = new SemaphoreSlim(1, 1);
+        private readonly ICryptographyManager _cryptoManager;
 
         public ManagedIdentityAuthRequest(
             IServiceBundle serviceBundle,
@@ -26,28 +28,62 @@ public ManagedIdentityAuthRequest(
             : base(serviceBundle, authenticationRequestParameters, managedIdentityParameters)
         {
             _managedIdentityParameters = managedIdentityParameters;
+            _cryptoManager = serviceBundle.PlatformProxy.CryptographyManager;
         }
 
         protected override async Task<AuthenticationResult> ExecuteAsync(CancellationToken cancellationToken)
         {
             AuthenticationResult authResult = null;
             ILoggerAdapter logger = AuthenticationRequestParameters.RequestContext.Logger;
 
-            // Skip checking cache when force refresh or claims is specified
-            if (_managedIdentityParameters.ForceRefresh || !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+            // 1. FIRST, handle ForceRefresh
+            if (_managedIdentityParameters.ForceRefresh)
             {
+                //log a warning if Claims are also set
+                if (!string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+                {
+                    logger.Warning("[ManagedIdentityRequest] Both ForceRefresh and Claims are set. Using ForceRefresh to skip cache.");
+                }
+
                 AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
-                
-                logger.Info("[ManagedIdentityRequest] Skipped looking for a cached access token because ForceRefresh or Claims were set. " +
-                    "This means either a force refresh was requested or claims were present.");
+                logger.Info("[ManagedIdentityRequest] Skipped using the cache because ForceRefresh was set.");
 
+                // Straight to the MI endpoint
                 authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
                 return authResult;
             }
 
-            MsalAccessTokenCacheItem cachedAccessTokenItem = await GetCachedAccessTokenAsync().ConfigureAwait(false);
+            // 2. Otherwise, look for a cached token
+            MsalAccessTokenCacheItem cachedAccessTokenItem = await GetCachedAccessTokenAsync()
+                .ConfigureAwait(false);
+
+            // If we have claims, we do NOT use the cached token (but we still need it to compute the hash).
+            if (!string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+            {
+                _managedIdentityParameters.Claims = AuthenticationRequestParameters.Claims;
+                AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
 
-            // No access token or cached access token needs to be refreshed 
+                // If there is a cached token, compute its hash for the “revoked token” scenario
+                if (cachedAccessTokenItem != null)
+                {
+                    string cachedTokenHash = _cryptoManager.CreateSha256HashHex(cachedAccessTokenItem.Secret);
+                    _managedIdentityParameters.RevokedTokenHash = cachedTokenHash;
+
+                    logger.Info("[ManagedIdentityRequest] Claims are present. Computed hash of the cached (revoked) token. " +
+                                "Will now request a fresh token from the MI endpoint.");
+                }
+                else
+                {
+                    logger.Info("[ManagedIdentityRequest] Claims are present, but no cached token was found. " +
+                                "Requesting a fresh token from the MI endpoint without a revoked-token hash.");
+                }
+
+                // In both cases, we skip using the cached token and get a new one
+                authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
+                return authResult;
+            }
+
+            // 3. If we have no ForceRefresh and no claims, we can use the cache
             if (cachedAccessTokenItem != null)
             {
                 authResult = CreateAuthenticationResultFromCache(cachedAccessTokenItem);
@@ -67,30 +103,33 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
 
                         SilentRequestHelper.ProcessFetchInBackground(
                         cachedAccessTokenItem,
-                        () =>
-                        {
-                            // Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
-                            using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
-                            return GetAccessTokenAsync(tokenSource.Token, logger);
-                        }, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
+                            () =>
+                            {
+                                // Use a linked token source, in case the original cancellation token source is disposed before this background task completes.
+                                using var tokenSource = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
+                                return GetAccessTokenAsync(tokenSource.Token, logger);
+                            }, logger, ServiceBundle, AuthenticationRequestParameters.RequestContext.ApiEvent,
                         AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkApiId,
                         AuthenticationRequestParameters.RequestContext.ApiEvent.CallerSdkVersion);
                     }
                 }
                 catch (MsalServiceException e)
                 {
+                    // If background refresh fails, we handle the exception
                     return await HandleTokenRefreshErrorAsync(e, cachedAccessTokenItem).ConfigureAwait(false);
                 }
             }
             else
             {
-                //  No AT in the cache 
+                // No cached token
                 if (AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo != CacheRefreshReason.Expired)
                 {
                     AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.NoCachedAccessToken;
                 }
 
-                logger.Info("[ManagedIdentityRequest] No cached access token. Getting a token from the managed identity endpoint.");
+                logger.Info("[ManagedIdentityRequest] No cached access token found. " +
+                            "Getting a token from the managed identity endpoint.");
+
                 authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
             }
 
@@ -112,12 +151,15 @@ private async Task<AuthenticationResult> GetAccessTokenAsync(
 
             try
             {
-                // Bypass cache and send request to token endpoint, when
-                // 1. Force refresh is requested, or
-                // 2. If the access token needs to be refreshed proactively.
+                // While holding the semaphore, decide whether to bypass the cache.
+                // Re-check because another thread may have filled the cache while we waited.
+                // Bypass when:
+                // 1) ForceRefresh is requested
+                // 2) Proactive refresh is in effect
+                // 3) Claims are present (revocation flow)
                 if (_managedIdentityParameters.ForceRefresh || 
                     AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo == CacheRefreshReason.ProactivelyRefreshed ||
-                    !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+                    !string.IsNullOrEmpty(_managedIdentityParameters.Claims))
                 {
                     authResult = await SendTokenRequestForManagedIdentityAsync(logger, cancellationToken).ConfigureAwait(false);
                 }

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -15,8 +15,8 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Net.Security;
 using Microsoft.Identity.Client.Http.Retry;
-
-
+using System.Collections.Generic;
+using System.Linq;
 #if SUPPORTS_SYSTEM_TEXT_JSON
 using System.Text.Json;
 #else
@@ -57,6 +57,15 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
 
             ManagedIdentityRequest request = CreateRequest(resource);
 
+            // Automatically add claims / capabilities if this MI source supports them
+            if (_sourceType.SupportsClaimsAndCapabilities())
+            {
+                request.AddClaimsAndCapabilities(
+                    _requestContext.ServiceBundle.Config.ClientCapabilities,
+                    parameters,
+                    _requestContext.Logger);
+            }
+
             _requestContext.Logger.Info("[Managed Identity] Sending request to managed identity endpoints.");
 
             IRetryPolicy retryPolicy = _requestContext.ServiceBundle.Config.RetryPolicyFactory.GetRetryPolicy(request.RequestType);

src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Utils;

src/client/Microsoft.Identity.Client/ManagedIdentity/CloudShellManagedIdentitySource.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 

src/client/Microsoft.Identity.Client/ManagedIdentity/MachineLearningManagedIdentitySource.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Globalization;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 

src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityRequest.cs

@@ -3,7 +3,11 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Net.Http;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
+using Microsoft.Identity.Client.Core;
+using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.ManagedIdentity
@@ -39,5 +43,26 @@ public Uri ComputeUri()
 
             return uriBuilder.Uri;
         }
+
+        internal void AddClaimsAndCapabilities(
+            IEnumerable<string> clientCapabilities, 
+            AcquireTokenForManagedIdentityParameters parameters, 
+            ILoggerAdapter logger)
+        {
+            // xms_cc  – client capabilities
+            if (clientCapabilities != null && clientCapabilities.Any())
+            {
+                QueryParameters["xms_cc"] = string.Join(",", clientCapabilities);
+                logger.Info("[Managed Identity] Adding client capabilities (xms_cc) to Managed Identity request.");
+            }
+
+            // token_sha256_to_refresh – only when both claims and hash are present
+            if (!string.IsNullOrEmpty(parameters.Claims) &&
+                !string.IsNullOrEmpty(parameters.RevokedTokenHash))
+            {
+                QueryParameters["token_sha256_to_refresh"] = parameters.RevokedTokenHash;
+                logger.Info("[Managed Identity] Passing SHA-256 of the 'revoked' token to Managed Identity endpoint.");
+            }
+        }
     }
 }

src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs

@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+
+namespace Microsoft.Identity.Client.ManagedIdentity
+{
+    internal static class ManagedIdentitySourceExtensions
+    {
+        private static readonly HashSet<ManagedIdentitySource> s_supportsClaimsAndCaps =
+        [
+        // add other sources here as they light up
+        ManagedIdentitySource.ServiceFabric,
+        ];
+
+        internal static bool SupportsClaimsAndCapabilities(
+            this ManagedIdentitySource source) => s_supportsClaimsAndCaps.Contains(source);
+    }
+}

src/client/Microsoft.Identity.Client/ManagedIdentity/ServiceFabricManagedIdentitySource.cs

@@ -6,6 +6,7 @@
 using System.Net.Http;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
 
@@ -34,9 +35,9 @@ public static AbstractManagedIdentity Create(RequestContext requestContext)
                 var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
                     MsalError.InvalidManagedIdentityEndpoint,
                     errorMessage,
-                    null, 
+                    null,
                     ManagedIdentitySource.ServiceFabric,
-                    null); 
+                    null);
 
                 throw exception;
             }

src/client/Microsoft.Identity.Client/Utils/CoreHelpers.cs

@@ -75,22 +75,33 @@ public static string ToQueryParameter(this IDictionary<string, string> input)
             return builder.ToString();
         }
 
-        public static Dictionary<string, string> ParseKeyValueList(string input, char delimiter, bool urlDecode,
+        public static Dictionary<string, string> ParseKeyValueList(
+            string input,
+            char delimiter,
+            bool urlDecode,
             bool lowercaseKeys,
             RequestContext requestContext)
         {
             var response = new Dictionary<string, string>();
 
+            // Split the full query string on & (or any provided delimiter) to get individual k=v pairs.
             var queryPairs = SplitWithQuotes(input, delimiter);
 
             foreach (string queryPair in queryPairs)
             {
-                var pair = SplitWithQuotes(queryPair, '=');
+                // Instead of splitting on *all* '=' characters, find only the first one.
+                // This ensures that if the value itself contains '=', such as a trailing '=' in Base64,
+                // we do not accidentally split the base64 value into extra parts and lose the padding.
+                int idx = queryPair.IndexOf('=');
 
-                if (pair.Count == 2 && !string.IsNullOrWhiteSpace(pair[0]) && !string.IsNullOrWhiteSpace(pair[1]))
+                // idx > 0 means we found an '=' and have a valid key substring before it
+                if (idx > 0)
                 {
-                    string key = pair[0];
-                    string value = pair[1];
+                    // The key is everything before the first '='
+                    string key = queryPair.Substring(0, idx);
+
+                    // The value is everything after the first '=' (including any trailing '=')
+                    string value = queryPair.Substring(idx + 1);
 
                     // Url decoding is needed for parsing OAuth response, but not for parsing WWW-Authenticate header in 401 challenge
                     if (urlDecode)
@@ -99,16 +110,19 @@ public static Dictionary<string, string> ParseKeyValueList(string input, char de
                         value = UrlDecode(value);
                     }
 
+                    // Optionally convert key to lowercase
                     if (lowercaseKeys)
                     {
                         key = key.Trim().ToLowerInvariant();
                     }
 
+                    // Trim quotes and whitespace around the value
                     value = value.Trim().Trim('\"').Trim();
 
                     if (response.ContainsKey(key))
                     {
-                        requestContext?.Logger.Warning(string.Format(CultureInfo.InvariantCulture,
+                        requestContext?.Logger.Warning(
+                            string.Format(CultureInfo.InvariantCulture,
                             "Key/value pair list contains redundant key '{0}'.", key));
                     }