Add token revocation support for App Service

gladjohn · gladjohn · commit 191d1f0fe965 · 2025-09-22T13:10:49.000-07:00
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs
@@ -14,7 +14,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity
     internal class AppServiceManagedIdentitySource : AbstractManagedIdentity
     {
         // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-        private const string AppServiceMsiApiVersion = "2019-08-01";
+        private const string AppServiceMsiApiVersion = "2025-03-30";
         private const string SecretHeaderName = "X-IDENTITY-HEADER";
 
         private readonly Uri _endpoint;
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs
@@ -9,8 +9,9 @@ internal static class ManagedIdentitySourceExtensions
     {
         private static readonly HashSet<ManagedIdentitySource> s_supportsClaimsAndCaps =
         [
-        // add other sources here as they light up
-        ManagedIdentitySource.ServiceFabric,
+            // add other sources here as they light up
+            ManagedIdentitySource.ServiceFabric,
+            ManagedIdentitySource.AppService
         ];
 
         internal static bool SupportsClaimsAndCapabilities(
diff --git a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs
@@ -447,7 +447,7 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
             {
                 case ManagedIdentitySource.AppService:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Get;
-                    expectedQueryParams.Add("api-version", "2019-08-01");
+                    expectedQueryParams.Add("api-version", "2025-03-30");
                     expectedQueryParams.Add("resource", resource);
                     expectedRequestHeaders.Add("X-IDENTITY-HEADER", "secret");
                     break;
diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs
@@ -414,6 +414,10 @@ public async Task AcquireMSITokenWithClaimsAsync(
                 // Token source should now be IdentityProvider again
                 Assert.AreEqual(TokenSource.IdentityProvider,
                                 result3.AuthenticationResultMetadata.TokenSource);
+
+                // The new access token (with claims) must be different than the initial one
+                Assert.AreNotEqual(result1.AccessToken, result3.AccessToken,
+                    "Claims challenge should result in a new access token different from the initial one.");
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity`
`14`	`14`	`internal class AppServiceManagedIdentitySource : AbstractManagedIdentity`
`15`	`15`	`{`
`16`	`16`	`// MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity`
`17`		`- private const string AppServiceMsiApiVersion = "2019-08-01";`
	`17`	`+ private const string AppServiceMsiApiVersion = "2025-03-30";`
`18`	`18`	`private const string SecretHeaderName = "X-IDENTITY-HEADER";`
`19`	`19`
`20`	`20`	`private readonly Uri _endpoint;`
Original file line number	Diff line number	Diff line change
`@@ -9,8 +9,9 @@ internal static class ManagedIdentitySourceExtensions`
`9`	`9`	`{`
`10`	`10`	`private static readonly HashSet<ManagedIdentitySource> s_supportsClaimsAndCaps =`
`11`	`11`	`[`
`12`		`- // add other sources here as they light up`
`13`		`- ManagedIdentitySource.ServiceFabric,`
	`12`	`+ // add other sources here as they light up`
	`13`	`+ ManagedIdentitySource.ServiceFabric,`
	`14`	`+ ManagedIdentitySource.AppService`
`14`	`15`	`];`
`15`	`16`
`16`	`17`	`internal static bool SupportsClaimsAndCapabilities(`
Original file line number	Diff line number	Diff line change
`@@ -447,7 +447,7 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(`
`447`	`447`	`{`
`448`	`448`	`case ManagedIdentitySource.AppService:`
`449`	`449`	`httpMessageHandler.ExpectedMethod = HttpMethod.Get;`
`450`		`- expectedQueryParams.Add("api-version", "2019-08-01");`
	`450`	`+ expectedQueryParams.Add("api-version", "2025-03-30");`
`451`	`451`	`expectedQueryParams.Add("resource", resource);`
`452`	`452`	`expectedRequestHeaders.Add("X-IDENTITY-HEADER", "secret");`
`453`	`453`	`break;`
Original file line number	Diff line number	Diff line change
`@@ -414,6 +414,10 @@ public async Task AcquireMSITokenWithClaimsAsync(`
`414`	`414`	`// Token source should now be IdentityProvider again`
`415`	`415`	`Assert.AreEqual(TokenSource.IdentityProvider,`
`416`	`416`	`result3.AuthenticationResultMetadata.TokenSource);`
	`417`	`+`
	`418`	`+ // The new access token (with claims) must be different than the initial one`
	`419`	`+ Assert.AreNotEqual(result1.AccessToken, result3.AccessToken,`
	`420`	`+ "Claims challenge should result in a new access token different from the initial one.");`
`417`	`421`	`}`
`418`	`422`	`}`
`419`	`423`