From 191d1f0fe9655d4cdbb2c16be9b95903077be8e8 Mon Sep 17 00:00:00 2001 From: Gladwin Johnson <90415114+gladjohn@users.noreply.github.com> Date: Mon, 22 Sep 2025 13:10:49 -0700 Subject: [PATCH] Add token revocation support for App Service --- .../ManagedIdentity/AppServiceManagedIdentitySource.cs | 2 +- .../ManagedIdentity/ManagedIdentitySourceExtensions.cs | 5 +++-- .../Core/Mocks/MockHttpManagerExtensions.cs | 2 +- .../HeadlessTests/ManagedIdentityTests.NetFwk.cs | 4 ++++ 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs index 10fef4610b..efc156b691 100644 --- a/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs +++ b/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs @@ -14,7 +14,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity internal class AppServiceManagedIdentitySource : AbstractManagedIdentity { // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity - private const string AppServiceMsiApiVersion = "2019-08-01"; + private const string AppServiceMsiApiVersion = "2025-03-30"; private const string SecretHeaderName = "X-IDENTITY-HEADER"; private readonly Uri _endpoint; diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs index 6bbf861834..592f054b76 100644 --- a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs +++ b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs @@ -9,8 +9,9 @@ internal static class ManagedIdentitySourceExtensions { private static readonly HashSet s_supportsClaimsAndCaps = [ - // add other sources here as they light up - ManagedIdentitySource.ServiceFabric, + // add other sources here as they light up + ManagedIdentitySource.ServiceFabric, + ManagedIdentitySource.AppService ]; internal static bool SupportsClaimsAndCapabilities( diff --git a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs index 565ca72e68..dbfb49ecf9 100644 --- a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs +++ b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs @@ -447,7 +447,7 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource( { case ManagedIdentitySource.AppService: httpMessageHandler.ExpectedMethod = HttpMethod.Get; - expectedQueryParams.Add("api-version", "2019-08-01"); + expectedQueryParams.Add("api-version", "2025-03-30"); expectedQueryParams.Add("resource", resource); expectedRequestHeaders.Add("X-IDENTITY-HEADER", "secret"); break; diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs index cfb1c04af3..589a2dd7db 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs @@ -414,6 +414,10 @@ public async Task AcquireMSITokenWithClaimsAsync( // Token source should now be IdentityProvider again Assert.AreEqual(TokenSource.IdentityProvider, result3.AuthenticationResultMetadata.TokenSource); + + // The new access token (with claims) must be different than the initial one + Assert.AreNotEqual(result1.AccessToken, result3.AccessToken, + "Claims challenge should result in a new access token different from the initial one."); } }