[Engineering task] Implement Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity

[gladjohn]

Task type

Development

Description

Currently, MSAL with Managed Identity does not expose any API claims API. With CAE (Continuous Access Evaluation) being enabled by default, we need to implement a mechanism to bypass the cache if claims are detected in the token request.

Steps to Reproduce:
Enable CAE by default in MSAL with Managed Identity.
Make a token request with claims present.

Observe that the cache is not bypassed, leading to potential stale token usage.

Expected Behavior:
When claims are present in the token request, the cache should be bypassed to ensure that the latest token is used, in line with CAE requirements.

Solution

Proposed Solution:

1. Expose the claims API in MSAL for MI
2. Expose Claims to MI Assertion Provider for FIC

[rayluo]

Yes, bypassing cache shall be part of the CAE implementation.

Question. Do all the MI v1 endpoints support CAE now? If so, do they use a newer API version on the wire? And do all MSAL's MI v1 support CAE?

[bgavrilMS]

Just bypass the cache for msi v1. @gladjohn will confirm