Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #725

Closed
gladjohn opened this issue Jul 17, 2024 · 0 comments · Fixed by #730
Closed

[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #725

gladjohn opened this issue Jul 17, 2024 · 0 comments · Fixed by #730
Assignees
@rayluo
Labels
feature request scenario: managed identity

Comments

@gladjohn
Copy link

gladjohn commented Jul 17, 2024
edited
Loading

MSAL client type

Confidential

Problem Statement

Task type
Development

Description
Currently, MSAL with Managed Identity does not expose any API claims API. With CAE (Continuous Access Evaluation) being enabled by default, we need to implement a mechanism to bypass the cache if claims are detected in the token request.

Steps to Reproduce:

  • Enable CAE by default in MSAL with Managed Identity.
  • Make a token request with claims present.

Observe that the cache is not bypassed, leading to potential stale token usage.

Expected Behavior:
When claims are present in the token request, the cache should be bypassed to ensure that the latest token is used, in line with CAE requirements.

Proposed solution

  • Expose the claims API in MSAL for MI
  • Expose Claims to MI Assertion Provider for FIC
  • By-pass cache when claims are present

note : msi v1 endpoint is unchanged so there is no need to pass any claims to the endpoint itself, this feature is done so MSAL will bypass the cache.
@gladjohn gladjohn changed the title [Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity #4845 [Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity Jul 17, 2024
@gladjohn gladjohn assigned gladjohn and rayluo and unassigned gladjohn Aug 6, 2024
@rayluo rayluo mentioned this issue Aug 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rayluo rayluo

Labels
feature request scenario: managed identity
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CAE for MIv1 AzureAD/microsoft-authentication-library-for-python
2 participants
@rayluo @gladjohn