AzureAD · Robbie-Microsoft · Apr 2, 2025 · Apr 2, 2025 · Apr 2, 2025 · Apr 2, 2025
diff --git a/change/@azure-msal-node-cb198692-a92c-4591-96a7-77bb2383a356.json b/change/@azure-msal-node-cb198692-a92c-4591-96a7-77bb2383a356.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Added token revocation functionality to Managed Identity's App Service source #7772",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -40,7 +40,10 @@ import { ManagedIdentityId } from "../config/ManagedIdentityId.js";
 import { HashUtils } from "../crypto/HashUtils.js";
 
 const SOURCES_THAT_SUPPORT_TOKEN_REVOCATION: Array<ManagedIdentitySourceNames> =
-    [ManagedIdentitySourceNames.SERVICE_FABRIC];
+    [
+        ManagedIdentitySourceNames.APP_SERVICE,
+        ManagedIdentitySourceNames.SERVICE_FABRIC,
+    ];
 
 /**
  * Class to initialize a managed identity and identify the service

@@ -19,7 +19,7 @@ import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
 import { NodeStorage } from "../../cache/NodeStorage.js";
 
 // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
-const APP_SERVICE_MSI_API_VERSION: string = "2019-08-01";
+const APP_SERVICE_MSI_API_VERSION: string = "2025-03-30";
 
 /**
  * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AppServiceManagedIdentitySource.cs

@@ -5,11 +5,14 @@
 
 import { ManagedIdentityApplication } from "../../../src/client/ManagedIdentityApplication.js";
 import {
+    CAE_CONSTANTS,
+    DEFAULT_MANAGED_IDENTITY_AUTHENTICATION_RESULT_ACCESS_TOKEN_SHA256_HASH_IN_HEX,
     DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT,
     DEFAULT_USER_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT,
     MANAGED_IDENTITY_APP_SERVICE_NETWORK_REQUEST_400_ERROR,
     MANAGED_IDENTITY_RESOURCE,
     MANAGED_IDENTITY_RESOURCE_ID,
+    TEST_CONFIG,
 } from "../../test_kit/StringConstants.js";
 
 import {
@@ -28,6 +31,7 @@ import {
 import { ManagedIdentityClient } from "../../../src/client/ManagedIdentityClient.js";
 import {
     ManagedIdentityEnvironmentVariableNames,
+    ManagedIdentityQueryParameters,
     ManagedIdentitySourceNames,
 } from "../../../src/utils/Constants.js";
 import { ManagedIdentityUserAssignedIdQueryParameterNames } from "../../../src/client/ManagedIdentitySources/BaseManagedIdentitySource.js";
@@ -176,6 +180,86 @@ describe("Acquires a token successfully via an App Service Managed Identity", ()
         });
     });
 
+    describe("Miscellaneous", () => {
+        it.each([
+            [
+                CAE_CONSTANTS.CLIENT_CAPABILITIES,
+                CAE_CONSTANTS.CLIENT_CAPABILITIES.toString(),
+            ],
+            [undefined, null],
+        ])(
+            "ignores a cached token when claims are provided (regardless of if client capabilities are provided or not) and the Managed Identity does support token revocation, and ensures the token revocation query parameter token_sha256_to_refresh is included in the network request to the Managed Identity",
+            async (providedCapabilities, capabilitiesOnNetworkRequest) => {
+                const sendGetRequestAsyncSpy: jest.SpyInstance = jest.spyOn(
+                    networkClient,
+                    <any>"sendGetRequestAsync"
+                );
+
+                const managedIdentityApplication: ManagedIdentityApplication =
+                    new ManagedIdentityApplication({
+                        ...systemAssignedConfig,
+                        clientCapabilities: providedCapabilities,
+                    });
+                expect(
+                    managedIdentityApplication.getManagedIdentitySource()
+                ).toBe(ManagedIdentitySourceNames.APP_SERVICE);
+
+                let networkManagedIdentityResult: AuthenticationResult =
+                    await managedIdentityApplication.acquireToken({
+                        resource: MANAGED_IDENTITY_RESOURCE,
+                    });
+                expect(networkManagedIdentityResult.fromCache).toBe(false);
+                expect(networkManagedIdentityResult.accessToken).toEqual(
+                    DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+                );
+
+                expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(1);
+                const firstNetworkRequestUrlParams: URLSearchParams =
+                    new URLSearchParams(
+                        sendGetRequestAsyncSpy.mock.lastCall[0]
+                    );
+                expect(
+                    firstNetworkRequestUrlParams.get(
+                        ManagedIdentityQueryParameters.XMS_CC
+                    )
+                ).toEqual(capabilitiesOnNetworkRequest);
+
+                const cachedManagedIdentityResult: AuthenticationResult =
+                    await managedIdentityApplication.acquireToken({
+                        resource: MANAGED_IDENTITY_RESOURCE,
+                    });
+                expect(cachedManagedIdentityResult.fromCache).toBe(true);
+                expect(cachedManagedIdentityResult.accessToken).toEqual(
+                    DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+                );
+                expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(1);
+
+                networkManagedIdentityResult =
+                    await managedIdentityApplication.acquireToken({
+                        claims: TEST_CONFIG.CLAIMS,
+                        resource: MANAGED_IDENTITY_RESOURCE,
+                    });
+                expect(networkManagedIdentityResult.fromCache).toBe(false);
+                expect(networkManagedIdentityResult.accessToken).toEqual(
+                    DEFAULT_SYSTEM_ASSIGNED_MANAGED_IDENTITY_AUTHENTICATION_RESULT.accessToken
+                );
+
+                expect(sendGetRequestAsyncSpy.mock.calls.length).toEqual(2);
+                const secondNetworkRequestUrlParams: URLSearchParams =
+                    new URLSearchParams(
+                        sendGetRequestAsyncSpy.mock.lastCall[0]
+                    );
+                expect(
+                    secondNetworkRequestUrlParams.get(
+                        ManagedIdentityQueryParameters.SHA256_TOKEN_TO_REFRESH
+                    )
+                ).toEqual(
+                    DEFAULT_MANAGED_IDENTITY_AUTHENTICATION_RESULT_ACCESS_TOKEN_SHA256_HASH_IN_HEX
+                );
+            }
+        );
+    });
+
     describe("Errors", () => {
         test("ensures that the error format is correct", async () => {
             const managedIdentityNetworkErrorClient400 =