MSAL MSI with Credentials - Authentication Design #5096

gladjohn · 2025-01-22T18:27:38Z

This pull request includes several important changes that provide detailed guidance on implementing and handling the MSI V2 /credential endpoint, including token acquisition, SLC revocation, and probing logic for VM/VMSS. The key changes are summarized below:

Implementation of MSI V2 `/credential` Endpoint:

Added a design document outlining the token acquisition process for MSI V2 using the /credential endpoint, including steps for certificate handling and source detection logic.

SLC Revocation Specification:

Introduced a specification for handling short-lived credential (SLC) revocation scenarios, detailing the process for obtaining new credentials when an existing one is revoked or invalid.

VM/VMSS Credential Endpoint Probe Logic:

Added documentation on the probe logic to determine the availability of the MSI V2 /credential endpoint in IMDS for VM/VMSS, including handling IMDS restart scenarios and expected responses.

docs/msi_with_credential_design.md

bgavrilMS · 2025-01-28T10:57:58Z

docs/msi_with_credential_design.md

+- Send a POST request to the IMDS `/credential` endpoint with the certificate details.
+- The request must include:
+  - `Metadata: true` header.
+  - `X-ms-Client-Request-id` header with a GUID.


Presumably this is the CorrelationID similar to CCA's correlation ID? And it also implies that we should add WithCorrelationID API to MSIApplication?

if we add a WithCorrelationID, will it be a no-op in legacy MSI?

docs/msi_with_credential_design.md

bgavrilMS · 2025-01-28T11:19:07Z

docs/msi_with_credential_design.md

+| `WithClientCapabilities()`       | Allows client capabilities                                |
+| `WithClaims()`                   | Allows passing of claims (bypasses cache).                |
+| `GetBindingCertificate()`        | Helper method to get the binding certificate.             |
+| `GetManagedIdentitySourceAsync()`| Helper method to get the managed identity source.         |


This alraedy exists in all MSALs no? For Azure SDK. Do we add an extra source?

yes we are adding a new GetManagedIdentitySourceAsync

docs/msi_with_credential_design.md

docs/slc_revocation_spec.md

docs/msi_with_credential_design.md

bgavrilMS · 2025-01-28T11:22:58Z

docs/msi_with_credential_design.md

+- Convert the certificate to a Base64-encoded string (`x5c`).
+- Format the JSON payload containing the certificate details for request authentication.
+
+### 4. Request MSI Credential


What about credential caching? Where do we cache this?

we do not cache credentials

docs/vm_vmss_credential_probe.md

bgavrilMS · 2025-01-28T11:45:14Z

docs/msi_with_credential_design.md

+
+- **[SLC Design Document](https://microsoft.sharepoint.com/:w:/t/AzureMSI/EURnTEtFXPlDngpYhCUioqUBvbSUWEX7vZjP0nm8bxUsQA?e=Ejok1n&wdLOR=cE6820299-49AF-4D7A-B7F7-F58D65C232B6)**
+- **[MSAL EPIC](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3027078)**
+


There needs to be a telemetry chapter. At a minimum we'd want to know if we are dealing with a self-generated cert or one read from the store. Anything else?

bgavrilMS · 2025-01-28T11:46:42Z

docs/vm_vmss_credential_probe.md

+| **4️⃣** | If **500 Internal Server Error**, check the **Server** header. | `"Microsoft-IIS/10.0"` (no `IMDS/`) | Retry the request (IMDS might be restarting). |
+| **5️⃣** | If the response does not match the above cases, treat it as **unexpected behavior**. | | Log the issue or fallback to IMDS `/token` if applicable. |
+
+---


Telemetry chapter? Smth like Probe outcome - "found the endpoint with no retries", "found with retries" and "not found"

bgavrilMS · 2025-01-28T11:47:37Z

docs/slc_revocation_spec.md

+## **MSAL Behavior to Relay the Signal to IMDS**
+
+- MSAL can only determine that an `{ "error": "invalid_client" }` response is caused by a credential issue but cannot handle suberrors explicitly.
+- For SLC-related errors, MSAL will retry obtaining a new SLC from IMDS and retry with eSTS.


retry logic needs details.

bgavrilMS · 2025-01-28T11:48:18Z

docs/slc_revocation_spec.md

+
+return tokenResponse;
+```
+


Telemetyry chapter and acceptance tests chapter are missing.

bgavrilMS · 2025-01-28T11:48:52Z

docs/slc_revocation_spec.md

+
+- MSAL can only determine that an `{ "error": "invalid_client" }` response is caused by a credential issue but cannot handle suberrors explicitly.
+- For SLC-related errors, MSAL will retry obtaining a new SLC from IMDS and retry with eSTS.
+- For claims challenges, MSAL does not get a signal from eSTS but rather from the app developer when passing claims to MSAL.


Probably deserves its own chapter?

init

54cfce2

gladjohn requested a review from a team as a code owner January 22, 2025 18:27

GladwinJohnson and others added 7 commits January 22, 2025 10:35

doc links

837ef5b

apis

4bda98e

typo

8f09566

Update MSI V2 authentication steps and API table

b55a948

Create slc_revocation_spec.md

7cdffc2

Add MSAL EPIC link to related documents.

8a1ebe3

Update revocation spec with unspecified credential issue

ff0c095